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Abstract 

A great variety of static analyses that compute safety properties of 
single-thread programs have now been developed. This paper presents 
a systematic method to extend a class of such static analyses, so that 
they handle programs with multiple POSIX-style threads. Starting 
from a pragmatic operational semantics, we build a denotational se- 
mantics that expresses reasoning a la assume- guarantee. The final 
algorithm is then derived by abstract interpretation. It analyses each 
thread in turn, propagating interferences between threads, in addition 
to other semantic information. The combinatorial explosion, ensued 
from the explicit consideration of all inter leavings, is thus avoided. 
The worst case complexity is only increased by a factor n compared 
to the single-thread case, where n is the number of instructions in the 
program. We have implemented prototype tools, demonstrating the 
practicality of the approach. 

1 Introduction 



Many static analyses have been developed to check safety properties of se- 
quential programs [1, 2, 3, 4, 5] while more and more software applications 
are multithreaded. Naive approaches to analyze such applications would run 
by exploring all possible interleavings, which is impractical. Some previous 
proposals avoid this combinatorial explosion (see Related Work). Our con- 
tribution is to show that every static analysis framework for single-thread 
programs extends to one that analyzes multithreaded code with dynamic 
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thread creation and with only a modest increase in complexity. We ignore 
concurrency specific bugs, e.g., race conditions or deadlocks, as do some other 
authors [6]. If any, such bugs can be detected using orthogonal techniques 
[7, 8]. 

Outline We describe in Section 2 a toy imperative language. This con- 
tains essential features of C with POSIX threads [9] with a thread creation 
primitive. The main feature of multithreaded code is that parallel threads 
may interfere, i.e., side-effects of one thread may change the value of vari- 
ables in other threads. To take interference between threads into account, 
we model the behavior of a program by an infinite transition system: this is 
the operational semantics of our language, which we describe in Section 2.3. 
It is common practice in abstract interpretation to go from the concrete to 
the abstract semantics through an intermediate so-called collecting seman- 
tics [10]. In our case a different but similar concept is needed, which we call 
G-collecting semantics, and which we introduce in Section 3. This seman- 
tics will discover states, accumulate transitions encountered in the current 
thread and collect interferences from other threads. The main properties 
of this semantics — Proposition 2 and Theorem 1 — are the technical core of 
this paper. These properties allow us to overapproximate the G-collecting 
semantics by a denotational semantics. Section 4 then derives an abstract 
semantics from the G-collecting semantics through abstract interpretation. 
We discuss algorithmic issues, implementation, question of precision, and 
possible extensions in Section 5, and examine the complexity of our analysis 
technique in section 6, and conclude in Section 7. 

Related Work A great variety of static analyses that compute safety 
properties of single-thread programs have been developed, e.g., intervals [4], 
points-to- graph [11, 3], non-relational stores [1, 2] or relational stores such 
as octagons [5]. 

Our approach is similat to Rugina and Rinard [12, 13], in the sens that 
we also use an abstract semantics that derives tuples containing information 
about current states, transitions of the current thread, and interference from 
other threads. While their main parallel primitive is par, which runs too 
threads ans waits for their completion before resuming computation, we are 
mostly interested in the more challenging thread creation primitive create, 
which spawn a thread that can survive its father. In Section 6.3, we handle 
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par to show how they can be dealt with our techniques. 

Some authors present generalizations of specific analyses to multithreaded 
code, e.g., Venet and Brat [14] and Lammich and Muller-Olm [6], while our 
framework extends any single-threaded code analysis. 

Our approach also has some similarities with Flanagan and Qadeer [15]. 
They use a model-checking approach to verify multi-threaded programs. 
Their algorithm computes a guarantee condition for each thread; one can 
see our static analysis framework as computing a guarantee, too. Further- 
more, both analyses abstract away both number and ordering of interferences 
from other threads. Flanagan and Qadeer's approach still keeps some con- 
crete information, in the form of triples containing a thread id, and concrete 
stores before and after transitions. They claim that their algorithm takes 
polynomial time in the size of the computed set of triples. However, such 
sets can have exponential size in the number of global variables of the pro- 
gram. When the nesting depth of loops and thread creation statements is 
bounded, our algorithm works in polynomial time. Moreover, we demon- 
strate that our analysis is still precise on realistic examples. Finally, while 
Flanagan and Qadeer assume a given, static, set of threads created at pro- 
gram start-up, we handle dynamic thread creation. The same restriction is 
required in Malkis et al. [16]. 

The 3VMC tool [17] has a more general scope. This is an extension of 
TVLA designed to do shape analysis and to detect specific multithreaded 
bugs. However, even without multithreading, TVLA already runs in doubly 
exponential time [18]. 

Other papers focus on bugs that arise because of multithreading primi- 
tives. This is orthogonal to our work. See [19, 20] for atomicity properties, 
Locksimth and Goblint tools [7, 21, 22] for data-races and [8] for deadlock 
detection using geometric ideas. 

2 Syntax and Operational Semantics 
2.1 Simplified Language. 

The syntax of our language is given in Fig. 1. The syntax of the language 
is decomposed in two parts: commands (cmd) and statements (stmt). A 
statement cmd,£' is a command with a return label where it should go after 
completion. E.g., in Fig 2a, a thread at label £ 3 will execute £:i create^ 4 x : = 
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- left value 
x variable 

"e pointer deref 

- expression 
c constant 

Iv left value 
o(e±, e-i) operator 
hx address 
condition 
x variable 
-<cond negation 



cmd ::= command 
e lv := e assignment 
cmdi, cmd 2 sequence 
if(cond)then{cmdi}else{cmd2} if 



stmt 



- while(cond) { cmd} 
'create(cmd) 



cmd, £' 

i guard(cond),£' 
e spawn(£"),£' 



while 
new thread 
statement 
command 
guard 
new thread 



Figure 1: Syntax 



£l x := 0; 
&2 while (true) 

{ is create^ 4 x := x + 1)},4 

(a) £l example l7 £oo 



£s x := 0;S := 0; 
e? create^ 8 x = x + y); 



y :— 3, 

(b) k example 2 , 



£l y := 0; i2 z := 0; 

i? ' create^ A y := y + z); 

5 z . 3 , £ OQ 

(c) ll example^, 



il2 create( £ri y := 3); 



H4 



y :-- 



1-^15 

- 1 - 1 



(d) tl0 example 4 ,£ oc 

Figure 2: Program Examples 



x + 1), £ 2 . Commands and statements are labeled, and we denote by Labels 
the set of labels. Labels represent the control flow: the statement e stmt,£' 
begins at label £ and terminates at label £', e.g., in Fig 2b, a thread at label £2 
will execute the assignment x := x+1 and go to label £3. It is assumed that in 
a given command or statement each label appears only once. Furthermore, to 
represent the end of the execution, we assume a special label which never 
appears in a command, but may appear as the return label of a statement. 
Intuitively, this label represents the termination of a thread: a thread in this 
label will not be able to execute any statement. 

Notice that sequences cmd\, cmd 2 are not labeled. Indeed, the label of 
a sequence is implicitly the label of the first command, e.g., the program of 
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Fig. 2b is a sequence labeled by £5. We write e cmd when the label of cmd is 
£ and we write e stmt, £' the statement stmt labeled by £ and £'. A program is 
represented by a statement of the form e cmd, £oo. Other statements represent 
a partial execution of a program. The statements create, while and if are not 
atomic, there are composed of several basic steps, e.g., to enter in a while 
loop. To model these basic steps, we introduce the statements £l spawn(£ 2 ), £3 
and ei guard (cond),£ 2 . Then, the semantics of create, while and if will be 
defined using the semantics of £l spawn^) , £3 and £l guard (cond),£ 2 . Local 
variables are irrelevant to our work. Then, all variables in our language are 
global. Nevertheless, local variables have been implemented (See Section 5) 
as a stack. 

This is a toy imperative language with dynamic thread creation. It can 
easily be extended to handle real- world languages like C or Ada, see Sections 
2.4 and 5. 

2.2 Description of the system. 

To represent threads, we use a set Ids of thread identifiers. During an exe- 
cution of a program, each thread is represented by a different identifier. We 
assume a distinguished identifier main G Ids, and take it to denote the 
initial thread. 

When a program is executed, threads go from a label to another one 
independently. A control point is a partial function P that maps thread 
identifiers to labels and that is defined in main. A control point associates 
each thread with its current label. The domain of P is the set of created 
threads, the other identifiers may be used after in the execution, for new 
threads. Let P be the set of control points. We write Dom(P) the domain 
of P and let P[i 1— > £} be the partial function defined by P[i 1— > £}(j) = 



Furthermore, threads may create other threads at any time. A genealogy 
of threads is a finite sequence of tuples (i, £, j) G Ids x Labels x Ids such that 
(a) each two tuples (ii,£i,ji) and (12, £2^2) have distinct third component 
(i.e., ji 7^ j 2 ), (b) main is never the third component of a tuple. Such a 
tuple (i, £,j) means that thread i created thread j at label £. We write j has 
been created in g to say that a uple (i,£,j) appears in g. Let Genealogies 




undefined else 



if i = j 

if i G Dom(P) \ {j} 
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be the set of genealogies. We write g ■ g' the concatenation of the genealogies 
g and g' . The hypothesis (a) means that a thread is never created twice, 
the hypothesis (b) means that the thread main is never created: it already 
exists at the begining of the execution. 

We let Stores be the set of stores. We leave the precise semantics of 
stores undefined for now, and only require two primitives writei v:=e (a) and 
bool(o~, cond). Given a store a, writei v:=e returns the store modified by the 
assignment Iv :— e. The function bool evaluates a condition cond in a store 
a, returning true or false. 

A uple (i, P, a, g) G Ids x P x Stores x Genealogies is a state if (a) % G 
Dom(P), (b) Dom(P) is the disjoint union between {main} and the set of 
threads created in g. Let States be the set of states. A state is a tuple 
(i, P, a, g) where i is the currently running thread, P states where we are 
in the control flow, a is the current store and g is the genealogy of thread 
creations. Dom(P) is the set of existing threads. The hypothesis (a) means 
that the current thread exists, the hypothesis (b) means that the only threads 
that exist are the initial threads and the thread created in the past. 

In the single-threaded case, only the store and the control point of the 
unique thread is needed. In the case of several threads, the control point of 
each thread is needed: this is P. 

There are two standard ways to model interferences between threads: 

• Either all threads are active, and at any time any threads can fire a 
transition, 

• or, in each state there is an "active thread", a.k.a., a "current thread", 
and some so called schedule transitions can change the active thread. 

Our model rests on latter choice: this allows us to keep track of a thread 
during execution. Thread ids do not carry information as to how threads 
were created. This is the role of the g component of states. 

Given a program e ° cmd, the set Init of initial states is the set of 
tuples (main, P ,a,e) where Dom(P ) = {main}, P (main) = £ , a is an 
arbitrary store, and e is the empty word. 

A transition is a pair of states r = ((i, P, a, g), (i' , P' , a' , g ■ (?')) such that 
Vj G Dom(P) \ {i},P(j) = P'(j) and if (j,£,f) is a letter of g' , then j — i 
and P(i) = t. 

We denote by Tr the set of all transitions and we denote by Schedule = 
{((i, P,o, g), (j, P,a,g)) G Tr \ i ^ j} the set of transitions that may appear 



2 SYNTAX AND OPERATIONAL SEMANTICS 



7 



a' = write i v .- e (a) bool(a, cond) = true 

assign ■ guard 

l Hv := e, £ 2 h (4, a) -> (l 2 , a') ^ guard (cond), £ 2 h (4, a) -> (4, <r) 

£l guara '(cond), £ 2 h t £l guard '(-i cond), 4 h * 

while entry — — —— — — while exit 



£l while(cond){ e2 cmd} , 4 h * €l while(cond){ e2 cmd} , 4 h i 

£l guard (cond), £ 2 h t 



l if(cond)then{ e2 cmd 1 }else{ e '- i cmd 2 },l4 h t 
£l guard(^cond),£ 3 h t 



ei if(cond)then{ e ' 2 cmd 1 }else{ e:i cmd 2 },£4 h i 
P(i) = £ €l stmt, 4 I- (4 a) -> (f , a' 



then 
else 



ei stmt,£ 2 Ih (i,P,a,g) -> (i,P[i i-> 
P(i) = 4 j is fresh in (i, P, <r, #) P' = P[i i-> 4] [j h-> 4 



parallel 

41 

spawn 



spawn(£ 2 ),£ 3 Ih (i,P,a,g) -> (i,P',a,h- (i,£ 2 ,j)) 
12 cmd, 4 II" t 

then body 



il if(cond)then{ e3 cmd 2 }else{ i3 cmd 2 },£4 Ih r 
^ 2 cmd, 4 Ih t 



ei if(cond)then{ e2 cmd 1 }else{ e3 cmd 2 },£ 4: Ih r 
ei spawn(£ 2 ),£ 3 Ih r ' ^cmd,4lhr 



else body 



■create t — t while body 

1 create( 2 cmd) , 4 Ih r 1 while(cond){ 2 cmd} , 4 Ih r 

1 cmdi,£ 2 \\~T l2 cmd 2 ,£ 3 \\-T 

t sequence 1 sequence 2 

ei cmrfi, 2 cmd 2 ,£ 3 Ih r ft cradi, 2 cmd 2 , 4 Ih r 

&2 cmd, £00 Ih r P(j) is defined i 7^ j 

child * — — ; — — : ; — schedule 



^ create^ 2 cmd), 4 Ih r £ stmt, f Ih (i, P, a, g) -> (j, P, cr, #) 

Figure 3: Operational semantics rules 



in the conclusion of rule "schedule", respectively. A transition in Schedule 
only changes the identifier of the current thread. 



2.3 Evolution. 

To model interleavings, we use a small step semantics: each statement gives 
rise to an infinite transition system over states where edges S\ — > s 2 corre- 
spond to elementary computation steps from state Si to s 2 . We define the 
judgment £l stmt,£ 2 Ih si — > s 2 to state that Si — > s 2 is one of these global 
computation steps that arise when cmd is executed, returning to label 
on termination. To simplify semantic rules, we use an auxiliary judgment 
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£l stmt, £ 2 l~ (V) "~ (£'i a ') to describe evolutions that are local to a given 
thread. 

Judgments are derived using the rules of Fig. 3. The rule "parallel" trans- 
forms local transitions into global transitions. "While body" and "sequence" 
rules are global because while loop and sequences may contain global sub- 
commands, e.g., £l while(x){ £2 create^ 3 x := 0)}. In "spawn", the expression 
"j is fresh in (i, P, a, g)" means that % ^ j and P(j) is not defined and j 
nevers appears in g, i.e., in g, there is no tuples (i,£,i') with i or i' equal to 
j. Intuitively, a fresh identifier is an identifier that has never been used (we 
keep track of used identifiers in g) . 

We define the set of transitions generated by the statement 1 stmt, £': 

?r*stmt,e = {(«, s') I t 'stmt, £' Ih s -> s'}. 

Notice that, unlike Flanagan and Qadeer [15], an arbitrary number of 
threads may be spawned, e.g., with the program l\ example x , of Fig. 2a. 
Therefore, Ids is infinite, an so are P and Tre stmt j/. Furthermore, Stores may 
be infinite, e.g., if store maps variables to integers. Therefore, we cannot have 
a complexity depending of cardinal of Tre stmt ^/. 

Example Let us consider stores that are maps from a unique variable to 
an integer. We write [x = n] the store that maps x to the integer n. The 
transitions generated by the statements extracted from Fig. 2a are: 

Trt lx:=0 , h ={((i,P, [x = n\,g), (i,P[i ^ £ 2 ], [x = 0], g)) \ P{i) = i x 
A % e Ids An £ Z}. 
<r ru x ..= x +i,t OB ={((h p , [x = n],g),(i,P[it->£ 00 ],[x = n + l],g)) \ P(i) =£4 
A % e Ids A n e Z}. 

2.4 Properties of the language 

Let Lab s ( e cmd, £00) be the set of labels of the statement l cmd,£ co . 

We also define by induction on commands, the set of labels of subthreads 

Labs chi id(-) by Labs ch ud{ ei create^ 2 cmd),£ 3 ) = Labs^cmd, 4o), 
Labs C hiid{ h cmd l / 2 cmd 2 , £3) = Labs chi id( ei cmd u £ 2 ) U Labs chi id{ e2 cmd 2 ,£3), 
Labs C hud ( ei if(cond) then{ i2 cmdi}else{ £s cmd 2 }, £4) = 
Labschud^cmd^tt) U Labs chad ( h cmd 2 ,£ 4 ), 
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Labs chUd ( ei while(cond){ e2 cmd},£ 3 ) = Labs child ( £2 cmd x ,£^), 
and, for basic commands Labs c hud( basic, £ 2 ) = 0. 

A statement generates only transitions from its labels and to its labels, 
this is formalized by the following lemma: 

Lemma 1. If(s,s') G Tre stmt £> \ Schedule then label(s) G Labs ( e stmt, £') \ 
{£'} and label(s') G Labs^stmt, £') and thread(s) = thread(s'). 

As a consequence of Lemma 1, we have the following lemma : 

Lemma 2. If label(s) Labsi 1 stmt, £') \ {£'} then for all state s' , (s,s') ^ 
Tre stmt e i \ Schedule 

If, during the execution of a statement l stmt,£' , a thread creates another 
thred, then, the subthread is in a label of the command, furthermore, it is in 
Labs chudi 1 stmt, £'). 

Lemma 3. If(s,s') = ((i,P,a,g),(i',P',a',g')) G Tre stmt ^ \ Schedule and 
j G Dom(P') \ Dom(P) then P'(j) G Labs cMd ( e stmt,/) C Lab s( l 'stmt, £'). 

Lemma 4. If(s,s') G Tre stmte ,\Schedule and label(s) G Labs C hud( e stmt, 
{£'} then label(s') G Labs( e stmt,£'). 

Furthermore £ Labs( e stmt, £') and £' ^ Labsi 1 stmt, £') . 

Notice that in Fig. 3 some statements are "atomic". We call these state- 
ments basic statements. Formally, a basic statement is a statement of the 
form ll lv := e,£ 2 , £l guard (cond), £ 2 or £l spawn(£ 3 ),£ 2 . 

On basic statement, we have a more precise lemma on labels: 

Lemma 5. Let £l basic,£ 2 be a basic statement. 

If ( s , s ') = ((h P, 0-, g), (i', P', 0-', g')) G Tre lbasicA \ Schedule then thread(s) = 
thread(s') and label(s) = £1 and label(s') = £ 2 . 

3 G-collecting Semantics 
3.1 Basic Concepts 

To prepare the grounds for abstraction, we introduce an intermediate seman- 
tics, called G-collecting semantics, which associates a function on configura- 
tions with each statement. The aim of this semantics is to associate with 
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thread(i, P, a, g) = % 
label(i, P, a, g) = P{i) 

after(i, P, a, g) = {(j, P', a', g ■ g') e States|j e desc g ,({i})} 
For X C P(Ids) : 

• desc e (X) =X 

def J desc g (X U {j}) ifieX 

• and desc (iAj) . g (X) = I y 

\desCg(X) else 



Figure 4: Auxiliary definitions 



each statement a transfer function that will be abstracted (see Section 4) as 
an abstract transfer function. 

A concrete configuration is a tuple Q = (S, G, A) : 1. S is the current state 
of the system during an execution, 2. G, for guarantee, represents what the 
current thread and its descendants can do 3. and A, for assume, represents 
what the other threads can do. 

Formally, S is a set of states, and G and A are sets of transitions containing 
Schedule. The set of concrete configurations is a complete lattice for the 
ordering (Si,Gi,Ai) ^ (S 2 ,G2,A 2 ) <^> Si C S 2 A Gi C G 2 A A 1 C A 2 . Proposition 
4 will establish the link between operational and G-collecting semantics. 

Figure 5 illustrates the execution of a whole pro- 
gram. Each vertical line represents the execution of a 
thread from top to bottom, and each horizontal line 
represents the creation of a thread. At the beginning 
(top of the figure), there is only the thread main = jo- 

During execution, each thread may execute tran- 
sitions. At state s , thread(s ) denotes the currently 
running thread (or current thread), see Fig. 4. On 
Fig. 5, the current thread of so is jo and the current 
thread of s is j 2 . 

During the program execution given in Fig. 5, jo 
that ji is a child of jo and jo is the parent of j\. 
ates j 3 . 



3 



Jo 



•so 



J5 



32 



.76 



34 



Figure 5: States 



creates j\. We say 
Furthermore, ji cre- 

We then introduce the concept of descendant: the thread j% is 
a descendant of jo because it has been created by j\ which has been ere- 
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ated by jo- More precisely, descendants depend on genealogies. Consider 
the state so = (jo, Po, Co, go) with g = [(jo, h, ji)]' the set of descendants 
of j from g (written desc go ({j }), see Fig. 4) is just {j , ji}- The set of 
descendants of a given thread increases during the execution of the pro- 
gram. In Fig. 5, the genealogy of s is of the form go ■ g for some g, here 
g = [(jo,h,j2), (ji,t3,33), (32, h, 3a)\- When the execution of the program 
reaches the state s, the set of descendants of jo from g - g is desc go . g ({jo}) = 
{jo,juj2,j3,j4}- 

In a genealogy, there are two important pieces of information. First, there 
is a tree structure: a thread creates children that may creates children and so 
on... Second, there is a global time, e.g., in g, the thread 22 has been created 
before the thread js- 

Lemma 6. Let g ■ g' a genealogy and i, j which are not created in g' . There- 
fore, either desc g '({j}) C desc g . g >({i}) or desc g /({j}) fl desc g . g >({i}) = 0. 

Proof. We prove this lemma by induction on g' . If g' = e, then desc e ({j}) = 
{./}• 

Let us consider the case g' = g" • (i' , l,j'). By induction hypothesis either 
desc g "({j}) C desc g .gii({i}) or desc g »({j}) fl desc g . g/ >({i}) = 0. 

In the first case, if i' G desc g "({j}), therefore j' G desc g /'.^/ ; £'j/)({j}) and 
j' G desc g .g,i.p tt ij')({i}), else j' ^ desc g/ ,. {i//IJ/) ({j}). 

In the second case, let us consider the subcase i' G desc g />({j}). Therefore 
i' desc g . g "({i}). In addition to this, j is not created in g ■ g" (a thread 
cannot be created twice in a genealogy), therefore j ^ desc g . g 'i({i}). Hence 
j' G desc g ».(i> t t tj >)({j}) and j' ^ desc g . g n. {il ^ ^({i}). 

The subcase i' G desc g . g n({i}) is similar. Let us consider the subcase 
i' desCg"({j})Udesc g .g»({i}). Therefore desc g .g».(i> t e>,j>)({i}) = desc g . g »({i}) 
and descg».(i> t e>,j')({j}) = desc g »({j}). □ 

We also need to consider sub- genealogies such as g. In this partial geneal- 
ogy, ji has not been created by jo- Hence desc g ({j }) = {jo,j2,ji}- Notice 
that js ^ desc g ({jo}) even though the creation of j% is in the genealogy g. 

During an execution, after having encountered a state so = (jo, Po, &o, go) 
we distinguish two kinds of descendants of j : (i) those which already exist in 
state s (except j itself) and their descendants, (ii) j and its other descen- 
dants. Each thread of kind (i) has been created by a statement executed by 
jo- We call after(so) the states from which a thread of kind (ii) can execute a 
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transition. In Fig. 5, the thick lines describe all the states encountered while 
executing the program that fall into after (so). 

The following lemma explicits some properties of after: 

Lemma 7. Let T a set of transitions. Let (s , Si) G T* therefore: 

1. If thread (so) = thread(si) then s\ G after(so) 

2. If Si G after (s ) then after(si) C after (s ) 

Proof. Let (io,Po,(To,go) = so and (ii, Pi, &i, gi) = s±. By definition of 
transitions, there exists g[ such that gi = go ■ g[. Because io G desc t ({io}), 
i G desCgi({io}) . Therefore, if thread(s) = thread(s'), i.e., i\ = io, then 
si G after(so) (By definition of after). 

Let us assume that si G after (sq). Let s 2 = (^2, -P2, 02 j #2) G after(si). 
Therefore, there exists g' 2 such that #2 = gi • g'2 — go • g[ • g'2 an d ^2 G 
desc ff ^({ii}). Because Si G after(s ), by definition, ii G desCg^ {{io}). There- 
fore ii G c?esc^({ii})nc?esc^.^({io}). According to Lemma 6, c?esc 9 ^({ii}) C 
descgi . g i {{io}) . Hence i 2 G desc g i . g i {{io\) and therefore s 2 G after (s ). □ 

When a schedule transition is executed, the current thread change. The 
futur descendants of the past current thread and the new current thread are 
diffents. This is formalized by the following lemma: 

Lemma 8. If (s 1 , s 2 ) G Schedule then after(si) fl after(s 2 ) = 0. 

Proof. Let (ii, Pi, 01, gi) = si and i 2 = thread(s 2 ). Therefore (i 2 , Pi, 01, g±) = 
s 2 . Let s = (i,P,a,g) G after (si) fl after(s 2 ). 

By definition of after, there exists g' such that g = g\ ■ g', i G desc g >({ii}) 
and i G desc g '({i2}). Furthermore i\ and i 2 are in Dom(Pi). Therefore i\ and 
i 2 are either created in gi, or are main. Hence, i\ and i 2 cannot be created 
in g'. Therefore, %i ^ desc g i{{i{\) and therefore (iesc g '({i2}) Q desc e . g >({ii}). 
Using Lemma 6 we conclude that desc g >({ii}) fl desc g t({i 2 }) = 0. This is a 
contradiction with i G desc g >({ii}) and i G t/esc ff /({i 2 }). □ 

During the execution of a set of transition T that do not create threads, 
the set of descendants does not increase: 

Lemma 9. Let T a set of transitions such that: 
for all (s, s>) = ((1, P, a, g), (i', P', a', g')) E T,g = g> . 
Let so = (i ,Po,o- ,go), s = (i,P,a,g ■ g) and s = (i',P',a',g ■ g-g'). 
If(s,s') G {^ after(so) U T)* then desc g . g >{i } = desc g {i }. 
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Proof. Let Si,...,s n a sequence of states such that Si = s, for all k E 
{1, . . . , n - 1}, (s k , s fc+ i) G A | afler(8o) U T)*, and s n = s'. 
Let P k , a k , g ■ g ■ g k ) = s k . 

If 9k ^ gk+i then, (s k , s kl ) G A | a/fer(so) and then i k £ desc g . gk {i } and then 
desc g . 9k {i} = d esc g . gk+1 {i }. 

Therefore, in all cases desc g . 9k {i} = desc g . 9k+1 {i} and then, by straight- 
forward induction, desc g . g >{i} = desc g {i}. □ 

Lemma 10. Let T a set of transitions such that: 
for all (s, s>) = ((i, P, a, g), (i', P', a', g')) E T,g = g> . 
Let s = (i, P, a, g) and s = (i', P', a', g • g'). 

#M e ( A |«^) UT )* then desc g ,{i} = {i}. 

Proof. Apply Lemma 9 with s Q = s. □ 

These lemmas has a consequence on after: 

Lemma 11. Let T a set of transitions such that: 
for all (s, s') = ((i, P, a, g), (i> , P', a', g')) E T,g = g' . 

If ( s o, s i) £ ( A | a/ter(s ) U ^)* and Sl e a ft er ( s o) then thread(si) = thread(s ). 

Proof. Let (i , P , a , g ) = s and (ii,Pi,cr,g ■ gi) = si- By Lemma 10 
desc gi {io} = {io} and by definition of after, %\ E desc gi {io}. □ 

Lemma 12. Let T\ a set of transitions such that: 
for all (s, s') = ((i, P, a, g), (i' , P', a', g')) E T,g = g> . 
Let T 2 a set of transitions. 

Let s ,si,s three states such that (s 0) Si) £ T\, thread(s ) = thread(si) 
and (si, s) E T*. 

If s E after (sq) then s E after(si). 

Proof. Let (i„, P , a Q , g ) = s , (i 1 ,P 1 ,a,g -gi) = s 1 and (i, P, a, g - g r g) = s. 
By Lemma 10 desc gi {i } = and by definition of after, i 1 E desc gi {i }. 
Therefore desc gi . g ({io}) = desc g (desc gi ({io})) = desc g ({io}). 

Because s E after(so), idesc gi . g ({io}), therefore idesc g ({io}). Hence s E 
after (s\). □ 
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Figure 6: G-collecting semantics 



3.2 Definition of the G-collecting Semantics 

Let us recall some classical definitions. For any binary relation R on states 
let R\s = {(s,s') G R | s G S} be the restriction of R to S and R(S) = 
{s' | 3s G S : (s, s') G i?} be the application of i? on 5. = {(s, s") | 

3s' G States : (s, s') ERA (s', s") G i?'} is the composition of i? and i?'. Let 

= U fceN -R* where i?° = {(s, s) \ s G States} and i? fc+1 = i2; Finally, 
for any set of states S, let 5 = States \ S be the complement of S. 

The definition of the G-collecting semantics ^stmt,£'[] of a statement 
e stmt,£' requires some intermediate relations and sets. The formal definition 
is given by the following definition: 

Definition 1. 

Ystmt, £'\ (S, G, A) = (S', G U Self U Par U Sub, A U Par U Sub) 
{\ e stmt, £'\} (S, G, A) = [Reach, Ext, Self, Par, Sub] 



where: 



Reach = < (s , s 



S' 
Self 
Par 

Ext(s , Si) 



(s , Si) G [(G| a/ier ( S() ) n Trtttntf) U A |a/ter(so) ]* 

Athread(s ) = thread(si) A label(s ) = £ 
{si|si G Reach(S) A label^) = £'} 
{(s,s') G Tr^ mM ,|s G Reach(S)} 

{(s, s') G Tr« stmt ^/|3so £ S : (s , s) G Reach; Schedule A s G a/£er(s )} 

U G| a / ier ( Sl )] 



[(G| a /ier(s ) n ^"stmt/') U A 

Sub = <! (s, s') 



|a/ier(s ) 

3s , Si G S x S' : (s , Si) G ReachA 
(si, s) G Ext(so, si) A s G after (sq) \ after(si) 
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Let us read together, on some special cases shown in Fig. 6. This will 
explain the rather intimidating of Definition 1 step by step, introducing the 
necessary complications as they come along. 

The statement is executed between states so = (jo,P,a,g) and si = 
(j ,P',a',g-g'). 

Figure 6(a) describes the single-thread case: there is no thread interaction 
during the execution of 1 stmt, £'. The thread j$ is spawned after the execution 
of the statement. E.g., in Fig. 2b, e& y := 0;£j. 

In this simple case, a state s is reachable from so if and only if there 
exists a path from sq to s using only transitions done by the unique thread 
(these transitions should be in the guarantee G) and that are generated by 
the statement. S' represents the final states reachable from S. Finally, in this 
case: 

Reach = {(s ,Si) G [G D Tri stmt/ ,]*\label(s ) = £} 
S' = {si | Si G Reach(S) A label(si) = £'} 
Self = {(s,s r ) G Tn stmt/ , | s G Reach(S)} 
\ l stmt, £'\ (S, G, Schedule) = (S', G U Self, Schedule}? &r = Sub = 

Figure 6(b) is more complex: j interferes with threads j\ and These 
interferences are assumed to be in A. Some states can be reached only with 
such interference transitions. E.g, consider the statement e ^y := l; e ^z := 
y, £oo in Fig. 2d: at the end of this statement, the value of z may be 3, because 
the statement e ^y := 3, may be executed when the thread main is at 
label £15. Therefore, to avoid missing some reachable states, transitions of A 
are taken into account in the definition of Reach. In Fig. 6(b), the statement 
e stmt,£' is executed by descendants of j of kind (ii) (i.e., after(s )), and the 
interferences come from j\ and j'3 which are descendants of kind (i) (i.e., in 
after (so)). Finally, we find the complete formula of Definition 1: 

Reach = ( (s , 8l ) ^ Sl) ^ K G I4M«0 n U Aps^y] * \ 

I Athread(s ) = thread(si) A label(s ) = I J 

In Fig. 6(c), when j executes the statement £ stmt, £' it creates subthreads 
(j 2 and j 4 ) which execute transitions in parallel of the statement. The guar- 
antee G is not supposed to contain only transitions executed by the current 
thread but also these transitions. These transitions, represented by thick lines 
in Fig. 6(c), are collected into the set Par. Consider such a transition, it is ex- 
ecuted in parallel of the statement, i.e., from a state of ScheduleoRe&ch({so}) ■ 
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interf ere A (S) = 

post(£) = 

schedule-child(S) = 

init-child € ((S,G,A)) = 

combine (SjGiA) (G') = 

execute-thread/ iSA (G) = 

guarantee's, G, A) = 

Figure 7: Basic semantic functions 



Furthermore, this transition came from the statement, and not from an ear- 
lier thread, hence from after (s )- 

Par = {(s, s') G Trt stmt V | 3s G S : (s , s) G ScheduleoRe&chAs G after (sq)}. 

The threads created by jo when it executes the statement 1 stmt, £' may 
survive when this statement returns in si, as shown in Fig. 6(d). Such a 
thread i (here, i is j± or j$ or jg) can execute transitions that are not in Par. 
Sub collects these transitions. The creation of % results of a create statement 
executed between so and s\. Hence, such a transition (s,s') is executed 
from a state in after (sq) \ after(si). The path from si to s is comprised 
of transitions in {G\ a fter(s ) n Tre stmt/ ,) U A | a/fer(su) (similarly to Reach) and of 
transitions of j$ or j$ under the dotted line, i.e., transitions in G\ a fter(si)- 

3.3 Properties of the G-collecting Semantics 

To prepare for our static analysis we provide a compositional analysis of the 
G-collecting semantics in Theorem 1 below. To this end, we introduce a set 
of helper functions, see Fig. 7. We define, for any extensive 1 function /, 

1 A function / of domain D is extensive if and only if for every set X C D, X C f(X) 



3s G S : (S ' y) G (A kW) U Schedule Y 
Athread(s) = thread(s') 

3s = (i, P, a, g-(i,£,j)) G States : 1 

s' G after(s) J 

dZ '^ *g , = g-(i,t,j) f 
(interf ere A u(G| postW ) ° schedule-child(S), 

Schedule, AU (G| postW )) 
(interf ere AUG / (S), G U G', A U G') 
G' with (S'.G'.A') = /(S,G,A) 
execute-thread! 1 ^ A (G) 
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The function interf ere A (S) returns states that are reachable from S by 
applying interferences in A. Notice that these interferences do not change the 
label of the current thread: 

Lemma 13. Let s = (i, P, a, g) and s' = (i', P', a', g'). If (s, s') G (A^^y U 
Schedule)* then P(i) = P'(i), i.e., label(s) = P' (thread (s)). 

If furthermore thread(s) = thread(s') then label(s) = label(s'). 

Proof. There exists a sequence of states so, . . . , s n such that so = s and 
s n = s' and for all k G {0, . . . , n - 1}, (s k , s k+1 ) G A | a/fer(s) U Schedule. 

Let (ik, Pk,o~k, 9k) = Sk- Let us prove by induction that Pk(i) = P(i)- If 
(sk,s k +i) e Schedule and P k (i) = P(i) then P k+ i(i) = P(i). If (s k ,s k+1 ) G 
^\ after(s) an( ^ Pk(i) = P(i) then Sk 4- a ft er ( s k) and then i k ^ i and then 
P k+ i(i) = Pk{i) = P{i). □ 

The function post(£) computes the set of states that may be reached 
after having created a thread at label I; schedule-child applies a schedule 
transition to the last child of the current thread. The function init-child^ 
computes a configuration for the last child created at £, taking into account 
interferences with its parent using post(£); notice that we need here the 
genealogies to define post(£) and then to have Theorem 1. The function 
execute-thread computes a part of the guarantee (an under-approximation) , 
given the semantics of a command represented as a function / from configura- 
tion to configuration. And guarantee iterates execute-thread to compute 
the whole guarantee. 

During the execution of a statement e stmt, some interference transition 
may be fired at any time. Nevertheless, the labels of the thread(s) executing 
the statement are still in a label of the statement: 

Lemma 14. If (s , s) G (Trt atmtit , U ^ after{so) )* , label(s ) G Labs ( e stmt, £') 
and s G after (sq) then label (s) G Labs ( e stmt, £'). 

Futhermore, if label (s) = £' or label (s) = £ then thread(so) = thread(s). 

Proof. There exists a path si,...,s n such that s n = s and for all k G 
{0, . . . , n - 1}, (s k , s k -i) G Tre stmt/ , U A | a/fer(so) . Let (i , P , a , g ) = s and 
for k^zl, let (i k , P k , a k , g ■ g k ) = s k . 

Let us prove by induction on k that Pk(i) G Labs ( e stmt, £') and for all 
j G desc 9k ({i }) \ {i }, P k (j) G Labs cMd ( e stmt, £'). 

Let us assume that k satisfy the induction property, and let us show that 
k + 1 satifies the induction property. 



3 G-COLLECTING SEMANTICS 



18 



In the case (s k ,s k+1 ) G A | a/ter(sp) , i k desc gk ({i }) and then for all j = 
desc gk ({i }) = desc gk+1 ({i }), P k (j) = Pk+iU)- 

In the case (s k ,s k+1 ) G Tre stmt/ , and % k = i , by Lemma 1, P k+ i{i k ) e 
Labs ( e stmt, £'). Furthermore, if j G desc 9k ({io}) then -Pfc(j) = P k +i(j)- If 
j G desc gk+1 ({i }) \ G?esc gfe ({i }), then j G Dom(P k+1 ) \ Dom(P k ) and by 
Lemma 3, P k+ i{j) G Labs cM d{ e stmt, £'). 

In the case(sfc, Sfc+i) G Trt stmtj gi and ^ = we conclude similarly by 
Lemma 4. If s G after (so), then i n G G?esc 9n ({io}) and therefore label (s) G 
Labs ( e stmt, £'). 

If label (s) = £' or label(s) = £, then, because by Lemma 4, £ and are 
not in Labs chiidi 1 stmt, £'), we have thread(s ) = thread(s). □ 

The following lemma summarizes the consequences on Reach of Lemmas 
7 and 14: 

Lemma 15. Xet [Reach, Ext, Self , Par, Sub] = {\ e stmt,£'\}(S,G,k). 

If ( s o? s ) ^ Reach therefore s G after(s ), after(s) C after (sq) and 
label (s) G Lab s i 1 stmt, £'). 

Proof. (s ,s) G [(G| a/ter(so) n ?r(. stmt j,) U A | a/fer(s(]) ]*, then by Lemma 7, s G 
after (s ) and after (s) C after {sq). Furthermore, by Lemma 14, label (s) G 
Labs( l stmt,£'). □ 

The following proposition show that guarantee collect all transitions 
generated by a statement. 

Proposition 1 (Soundness of guarantee). Xet (S, G, A) a concrete configura- 
tion, £ stmt,£' a statement and Goo = guarantee^ n (S,G, A). Let so G S 

stint 

and s G after(so) such that (s, s') G Trt stmt gi. 

If(s , S ) G [(T», w )|a/ter(so) U A | after(s ) ] * theU ( S ' S G G °c 



G 

,S,A 



Proof. Let (S k ,G k ,A k ) = execute-thread^ n 

and [Reach fc , Ext fc , Self fc , Par fc , Sub fc ] = [j^stmt, (S, G k , A) 
and T = Trt stmt j> 

Let so, ... , a path such that s n = s, s n+ i = s' and for all k, 
(s k , Sfc+i) G [T| a /ier(s ) U A | a ft er ( g0 ) ] * • Let m an arbitrary integer. Then, let k 
the smallest k (if it exists) such that (s k ,s k +i) G Tj a ^ er ( So ) \ G m . Then, by 
definition, (s fc , s fc+ i) G Self m U Par m C G m+1 CG ro . □ 



3 G-COLLECTING SEMANTICS 



19 



3.4 Basic Statements 

Basic statement have common properties, therefore, we will study them at 
the same time. Proposition 2 explain how to overapproximate the semantics 
of a basic statement. It will be used in the abstract semantics. 

An execution path of a basic statement can be decomposed in inter- 
ferences, then one transition of the basic statement, and then, some other 
interferences. The following lemma show this. This lemma will allow us to 
prove Proposition 2. 

Lemma 16. Let tl basic^ 2 be a basic statement, 

and [Reach, Ext, Self, Par, Sub] = {| h basic, £ 2 |}(S, G, A). Let (s ,s) G Reach 
then: 

• either s G interf ere A ({so}) and label(s) = t\, 

• or s E interf ere k {lrt lbasic £ 2 \ Schedule (interf ere A ({so}))) 
and label (s) = £2 

Proof. Let us consider the case (s , s) G (A, ^ e , n U Schedule)* . By definition 
of Reach, thread(s ) = thread(s). Therefore s G interf ere A ({s })- By 
Lemma 13, label(s ) = label(s), hence, label(s) = t\. 

Let us consider the case (s , s) ^ (^\ a fter(s ) ^ Schedule)* Because (so, s ) G 
Reach, (s ,s) G [(G| a ^ (so) n ^ri lbasicM )k^^\* . So (s ,s) G (A^^y U 

Schedule)*] [Q\ after{so) r]'Tri lbasic ^ 2 \ Schedule}] [(G| after (s ) n basic,^ ) A | after (so) 1* ■ 

Let si, S2, S3, • • • , s n a sequence of states such that (si, s 2 ) G (hi a ft er f so \ U 
Schedule)* and (s 2 , s 3 ) G G\ a fter(s ) H Tre lbasic ^ 2 \ Schedule and for all fc G 
{3, . . . ,n}, (s fc , Sfc+i) G (G| a/ier(so ) n ^« lfeasic/2 )A |a/ter(so) . 

Notice that (si,S2) G G| a / ter ( So ) and therefore si G after(so). By Lemma 
11, thread(s ) = thread(si). Therefore Si G interf ere A ({s })- 

By Lemma 5, label(s 2 ) = (-2- 

Let A; the smallest (if it exists) k ^ 2 such that (s^, Sfc+i) G lTi lbasic ^ \ 
Schedule. Therefore («2, Sfc ) £ ( A | a/fer(so) ^ Schedule)* . By Lemma 13, 
label(sk ) = label(s2) = (-2- According to Lemma 5, this is a contradiction. 
Therefore, for all k G {3, ... , n}, (s k , s k+1 ) G Schedule U A | a/fer(g()) . 

By Lemma 1, thread(si) = thread^), hence thread^) = thread(s). 
Therefore s 2 G interf ere A ({s 2 }) □ 

Now, we introduce some claims on the semantics of basic statements. 
Claims 1 and 2 say that when a basic statement is executed, only one thread 
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is executed. Notice that spawn creates a subthread, but does not execute it. 
The Claim 3 caracterizes the transitions done by the current thread. The 
Claim 4 gives an overapproximation of S', the set of states reached at the 
end of the execution of a basic statement. 

Claim 1. Let £l basic, i 2 a basic statement and [Reach, Ext, Self , Par, Sub] = 
{\ £l basic, (S, G, A) . Therefore, Par = 0. 

Proof. Let (s, s') G Par. Therefore, (s, s') G Reach; Schedule^) . So, there 
exists so £ S and si such that (so, si) G Reach, (si,s) G Schedule and 
s G after (so). Hence, by Lemma 7, thread(s) = thread(s'). Given that 
(s, si) G Reach, thread(s) = thread(si). But, because (si,s) G Schedule, 
thread(s) ^ thread(si). There is a contradiction. Hence Par = 0. □ 

Claim 2. Lei £l basic, £ 2 a basic statement and [Reach, Ext, Self , Par, Sub] = 
{\ ei basic,£ 2 \}{S,G,k). Therefore, Sub = 0. 

Proof. Let (s, s') G Sub. There exists So G S and si such that (so, Si) G 
Reach, (s 2 ,s) G Ext(s ,Si) and s G after(so) \ after(si). 

Let (i o ,.Po,0b,0o) = So and (ij, Pi, <n, # • #1) = «i- Because (s , «i) e 
Reach, thread(s ) = thread(s 1 ). Let j G desc 91 ({2 }). Let s[ = (j, Pi, Oi, g ■ 
gi). Therefore s' x G after{s ) and (s , s[) G {in, basic/2 U A, a/ter(s[)) )* ; {Schedule") 
By lemma 11, j = thread(s' 1 ) = thread(s ) = i . Hence desc gi ({io}) = {io}. 

Let (i,P,a,go • gi • g) — s. By definition of desc and a straightforward 
induction on g, desc gi . g ({i }) = desc g ({io}). 

Because s G after (so), then i G desc gi . g ({io}) . Therefore i = io. By 
Lemma 7, s G after (si). This is contradictory with s G after(s ) \ after(si). 
Hence Sub = 0. □ 

Claim 3. Lei £l basic, l 2 a basic statement and [Reach, Ext, Self , Par, Sub] = 
{\ ll basic, £ 2 |}(S,G,A). 

Therefore, Par C {(s, s') G Trt lbasic £ 2 \ s G interf ere A (S)} U Schedule. 

Proof. Let (s,s') G Self \ Schedule. Then (s, s') G Trt lbasic £ 2 and s G 
Reach(S). Then, there exists So G S such that (so,s) G Reach. Because 
(sq,s) G Tre lbasic ^ 2 \ Schedule, by Lemma 5, label (s) = 4 ^ £2- By Lemma 
16, s G interf ere A ({so}) C interf ere A (S). Because thread(so) = thread(s), 
(s,s')G Self. □ 

Claim 4. Let ei basic, £ 2 a basic statement, (S', G', A') = | £l 6asic, £ 2 | (S, G, A) 

and [Reach, Ext, Self, Par, Sub] = fl* 1 basic, 4|}(S, G, A) . 

Therefore, S' C interf ere k [Tn lbasice2 \ Schedule (interf ere A (S))) . 
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Proof. Let s G S'. Therefore, label (s) = £ 2 and there exists s G S such that 
(so, s) G Reach. 

Because label(s) =f 2 ^ ^1, according to Lemma 16, s G interf ere A (Tr£ lf)asic ^ 2 \ 
Schedule (int erf ere A ({so}))) C interf ere A(T'"€ 16as j C ^ 2 \Schedule{ interf ere A (S))) 

□ 

Proposition 2 (Basic statements). Let £l basic,£ 2 be a basic statement, then: 

J' 1 basic, 4](S, G,A) < (S", G U G new , A) 

where S" = interf ere k (Tn lbasice2 \ Schedule (interf ere A (S))) 
and G new = {(s, s') G <r« l6aaiC)/a | s G interf ere A (S)} 

Proof. This proposition is a straightforward consequence of Claims 1, 2, 3 
and 4. □ 



3.5 Overapproximation of the G-collecting Semantics 

The next theorem shows how the G-collecting semantics can be over-approximated 
by a denotational semantics, and is the key point in defining the abstract se- 
mantics. 

Theorem 1. 1. cmdi, i2 cmd 2 , h\ (Q) ^ f 2 cmd 2 ,4[ ° | £l cmd 1 ,£ 2 ^{Q) 



2. 



h if((cond) then{ h cmd^else^ 4 cmd 2 }, £3 1 (Q) ^ 

ta cmd u £ 3 J o guard (cond), £ 2 [ (Q)U \ u cmd 2 , £ z \o ^ guard {^cond), h\ (Q) 



3. ^ 1 while(cond){ e2 cmd},e 3 l(Q) ^ |^^uarc/(^con(/), £ 3 [ o loop Tw (Q) 
uritfi loop(Q') = (^cmd,^ o ]^uarG/( cored), ^ 2 |(Q')) u Q' 

^. [j^ 1 create^ 2 cmd), £ 3 | (Q) ^ combine Q 'Oguarantee |p 2cmd ^ | oinit-child^(Q') 

uritfiQ'= ] €l spaM//7(£ 2 ),4l(Q) 

While points 1 and 3 are as expected, the overapproximation of semantics 
of ei create( e ' 2 cmd), £3 (point 4) computes interferences which will arise from 
executing the child and its descendants with guarantee and then combines 
this result with the configuration of the current thread. This theorem will 
be proved later. 

The following proposition consider a statement e stmt,£' set of transition 
T. The only constraint on T is on the use of labels of e stmt, £'. 
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The proposition consider an execution of the statement from a state s to 
a state si, and, after, an execution s 2 , . . . , s n of other commands. The labels 
of 1 stmt, £' mays only be used : 

• for interferences, 

• or by the statement, 

• after having applied the statement, i.e., after si. 

. This Proposition ensures us that any transition executed by a thread cre- 
ated during the execution of 1 stmt, £' (i.e., between s and si) is a transition 
generated by the statement l stmt,C . 

Proposition 3. Let i stmt,£' a statement, 

[Reach, Ext, Self, Par, Sub] = {\ e stmt, (S,G, k) . Let (s , Si) G Reach and 

T a set of transitions such that for all (s, s') G T, if label (s) G Labs ( e stmt, (!) 
then (s, s') G Tre stmt ^ or s e after (si) U after (s ). 

Let s 2 , ■ ■ ■ , s n a sequence of states such that for all k G {1, . . . , n — 1}, 
(sk, Sfc+i) G T. Therefore, if Sk G after(so) ^en either Sk G after (si) or 

stmt.V 

Proof. Let for all fc ^ 1, let (i fe , P fe , cr fe , go • 9k) = Sfc- 

Let us show by induction on k ^ 1 that for all j, if j G c?esc 90 . Sfe ({ii}) \ 
desc 9k ({ii}) then Pfc(j) G Labs( e stmt, ('). 

Let jo G descgg.g^i^}) \ desc fl0 ({ii}) and si = (j , Pi, a\,go-g\). There- 
fore s[ G after (so). Given that(so,s'i) G Reach; Schedule, by Lemma 15, 
P^ji) = label(s[) G Lab s( e stmt, £'). 

By induction hypothesis, for all j, if j G ^esc go . gfc l ({ii}) \ o?esc Sf ._ 1 ({ii}) 
then Pfc_i(i) G Lab si 1 stmt, ('). 

Let j G desc go . gk ({ii}) \ desc flfc ({ii}). 

If thread(sk-i) = j, therefore, s^-i G after(s ) \ after(si). Further- 
more, by induction hypothesis, Pfc_i(j) = label(sk-i) G Lab s i 1 stmt, £'). By 
definition of T, (sfc-i, Sfc) G Tre stmt ^/. By Lemma 1, Pfc(j) = label(sk) G 
Labs ( £ stmt, £'). 

If j G Dom(Pk) \ Dom(Pk-i), then, thread{s k -\) G desc^.^^i}) \ 
^ esc g fc _i({^i})- Hence, as above, (sfc_i,Sfc) G Trt stmt>i ,. Hence, according to 
Lemma 3, Pfc(j) = label(sk) G Labs ( e stmt, ('). 

Else, by definition of a transition, Pk-i(j) = Pk(j)- 
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Let k such that G after (s ), hence, either G after (si), or ^ 
after(si). In the last case ^ G rfesc ff0 . 9fc _ 1 ({ii})\desc flfc _ 1 ({ii}), and therefore 
label(sk) G Labs ( e stmt, £'). Hence, by definition of T, G Tre stmt ^. 

'□ 

3.5.1 Proof of Property 1 of Theorem 1 

Lemma 17. Tre lcmdl .e 2cmd2/3 = Tre lcmduh U Tre 2cmd2/3 

In this section, we consider an initial configuration : Qo = (So,Go,A ) and 
a sequence ei cmdy; e2 cmd 2 , £3- We write Try = lri lcmdl i2 and fr 2 = ^rt 2cmd2 ^ 3 

and Tr = c Tre lcmdl .t 2cmd2 ^ 3 

Define: 

Q'=(S',G',A') = J*cmdi; fe cmd 2 ,4»[](Qo) 

K= [Reach, Ext, Self, Par, Sub] = (j^ 1 cmdi; h cmd 2 , 4|}(Qo) 

Qi = (Si, Gi,Ai) = [l^cmdi,^ I (Qo) 

Ki = [Reachi,Exti, Self i, Pari, Subi] = cradi, € 2 |}(Qo) 
Q 2 = (S 2 ,G 2 ,A 2 ) = d^cmda^sKQi) 

K 2 = [Reach 2 ,Ext 2 ,Self 2 ,Par 2 ,Sub 2 ] = {| £a cmo? 2 , 4 |}(Qi) 

Lemma 18. // (s, s') G Tr and label (s) G Labsi 11 cmdi, £ 2 ) \ {£ 2 } £/ien 
(s, s') G Tri. 

If(s,s') G Tr and label (s) G Labsi^ 2 cmd 2 , £ 3 ) £/ien (s, s') G Tr 2 . 

Proof. Let us consider that label (s) G Z/a&s( £l cmdi,£ 2 )\{£ 2 }. Hence because 
labels of tx cmd\, e2 cmd 2 , ^3 are pairwise distinct, label(s) Labs( £2 cmds, £3) . 
By Lemma 2, (s, s') ^ Tr 2 . Hence, by Lemma 17, (s, s') ^ Tri 

The case label(s) G Labsi^ 2 cmd 2 , £ 3 ) is similar. □ 

Lemma 19. Using the above notations, for every (sq, s) G Reach smc/j £/ia£ 
So £ S , 

• either (so, s) G Reachi and label (s) 7^ £ 2 

• or fJiere e:nste si G Si smc/j £/ia£ (so, s i) G Reachi, (si, s) G Reach 2 

Proof. Let (s , s) G Reach. Either (s , s) G Reachx or (s , s) Reach!. 

In the first case, either label (s) 7^ £ 2 , or label (s) = £ 2 . If label (s) = £ 2 , 
then, by definition, s G Si. By definition, (s,s) G Reach 2 and (s,s) G 
Exti(so, s). We just have to choose si = s. 
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In the second case, (s ,s) <£ Reachi. Let T = (G 1 a fter(s ) H Tr 1 ) U A , after(so) ■ 
Since (s,s') G Reach' , thread(s ) = thread(s) and label(s ) = t\. Further- 
more (s ,s) Reachi, so (s ,s) T*. Since (s, s') G Reach' C [(G | a # er(so) n 
It) U A i a ^ er / So J *, Tr = <tr\ U 1r 2 (using Lemma 17) and Tr\ D Schedule , 
therefore (sq, s ) £ [To U (Go\after(s ) ^ ^2 x Schedule)]* . 

Recall (so, s) ^ T*, hence (so, s) G Tq ; (Go\ a fter(s ) ^ ^2 \ Schedule); [T U 
(G | a / ier ( So ) H 7> 2 )]*. Therefore, there exists s±, s 2 such that: 

• (s , si) G Tq 

• (si, s 2 ) G G | a/ier ( S()) n Tr 2 \ Schedule 

• (s 2 ,s) G [T U (G | a ^ r(so) n ?r 2 )Y 

Since s G S , label(s ) — t\ G Labs( ei cmd i,£ 2 )- Since (si, s 2 ) G G |q# er ( So ), 
si G after (s ). Furthemore (s , «i) G T * C Tn U A | a/ter(so) , so, according to 
Lemma 14, label (si) G Labs( ei cmd\, l 2 ). 

Given that (si,s 2 ) G Tr 2 \ Schedule, according to Lemma 2, label(s\) G 
Labsi^ 2 cmd 2 ,£ 3 ). Hence label (si) G Labs( e2 cmd 2 , £3) n Labs( tx cmd\, t 2 ). Be- 
cause the labels of £l cmdi, f2 cmd 2 , £ 3 are pairwise distincts, label (si) = £ 2 . 
Using Lemma 14, we conclude that thread(s ) = thread(si). 

Given that thread(s ) = thread(s) and label (so) = t\ and (s ,Si) G Tq, 
we conclude that (so,Si) G Reachi. Furthermore label (si) = £ 2 and So G S , 
therefore Si G Si. 

(si,s) G [T U (G | a/ier ( so ) n Tr 2 )]*. Therefore, by proposition 3, (si,s) G 
[T U (G | a/ter ( Sl ) n <2V 2 )]* C Exti(s , si). 

Recall that (s 2 , s) G [T U (G |q/w so ) fl Tr 2 )]*, then there exists s 3 , . . . , s n 
such that for all k G {3, . . . , n - 1}, (s k , s k+1 ) G T U (G | a/ter ( So ) fl Tr 2 ). By 
definition, if (s fc , s fc+ i) G G | a/ t er ( So ) H Tri, then (s k , s k+1 ) G Subi. 

We show by induction on k that if (s k , s k+ i) G G | a / ier ( So ) H Tri \ Schedule, 
thens fc ^ after(si). By induction hypothesis, (s 2 ,s k ) G (G | a fl e r(5 ) ng ' r i)| afl e r( fl i) u 
A 0| qft er ( Jo ) U (G | a / ter ( S0 ) n Tr 2 )]*. Therefore, by Lemma 14, if s fc G after(s 2 ), 
then label (s k ) G Labs( e ' 2 cmd 2 , £ 3 ). Therefore, because labels are pairwise dis- 
tinct, if s k G after(s 2 ), then label(s k ) Labs{^ x cmd\,t 2 ) \ {^ 2 }. Therefore, 
by Lemma 2, if G after(s 2 ), then (s&, s^+i 

Hence, (s u s) G [Subi | ^^UAo | ^^U(G | a/ter(so) nTr 2 )]*. By Lemma 7, 
after{s x ) C after(s ), hence (si,s) G [(SubiUAo)| a/ter(s()) U(G | a/ter ( So) nTr 2 )]* C 
[ A i| a/ter(s ) U ( G o|a/ter( S() ) H Tr 2 )]*. Therefore (si, s) G Reach 2 . □ 
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Lemma 20. Using the above notations, for every (s , s) G Reach such that 
s G So and s' G S', there exists s± G Si such that (so, Si) G Reachi, (si, s) G 
Reach 2 and (si,s) G Exti(so,Si). 

Proof. If (so,s) G Reachi, then, according to Lemma 15, label (s) G Labsi^ 1 cmd\,i 2 ). 
In this case label (s) ^ £ 3 . This is not possible because s G S'. 

Therefore, according to Lemma 19 there exists Si G Si such that (s , si) G 
Reachi, s ) £ Reach 2 and (si, s) G Exti(so, s i) D 

Lemma 21. Using the notations of this section, let Sq G S , Si G Si, s 2 G S 2 , s 
such that (so? s i) £ Reachi, (si, s 2 ) G Reach 2 fl Exti(s , «i) («2, s ) £ 
Ext ( so, s 2)- Therefore (si, s) G Exti(s , Si). 

Proof. Notice that, by Lemma 7, after (s 2 ) C after (si) C after(s ). 
Recall that: 

Ext(s , s 2 ) = [(G | a/ter(so ) n Tr) U A | a/ier(so) U G | a/ter ( S2 )] 
Exti(s ,si) = [(G | a/ter(so ) n Tn) U A 0| a/ter(so) U G | a/ter(si) ] * 
By Lemma 17, Ext(s ,S2) = [(G |a/ ter ( So ) H Tn) U (G | a/ter(so) fl Tr 2 ) U 
Ao| a/ter(so) U G | a/ier ( S2 )]*. Let T = (G | a/ter ( So ) D Tr 2 ) U G | a/ter(s2 ). Therefore, 
because after (s 2 ) C after(s ), Ext(s ,S2) = [(Go| a /ter(s ) n Tn) U A | a/fer(so) U 

T\ a fter(so)\ ■ 

By Proposition 3, (s 2 ,s) G [(G | a/ter ( so ) H Tn) U A | a/fer(so) U 2] 

a/ier(si)J • 

Because after (s 2 ) C after{s x ) C after(s ), T\ after{si) = (G 0]afterisi] (1 Tr 2 ) U 
Go|a/ter(^)- Hence (s 2 , s) G Exti(s , Si). Hence (si, s) G Exti(s , Si); Exti(s , Si) = 
Exti(s , si). □ 

Lemma 22. Using the notations of this section, let Sq G S , Si G Si, s 2 G S 2 , s 
5«c/i that (so,Si) G Reachi, (si, s 2 ) G Reach 2 fl Exti(so, Si) and (s 2 , s) G 
Ext(s , s 2 ). Therefore (s 2 , s) G Ext 2 (si, s 2 ). 

Proof. Notice that, by Lemma 7, after (s 2 ) C after (si) C after(s ). 
Recall that 

Ext (S , S 2 ) = [(Go| a /ier(so) R Tr ) U A 0| a /ier(^o) U G 0|«/ter(^)] 

Ext 2 (si, s 2 ) = [(G 1 | a/ter(si) n Tr 2 ) U Ai| a ^ er(si) U Gi| a ^ er(s2) ] 

Since (s 2 , s) G Ext(s ,s 2 ), A C A i5 G C A i5 and after (si) C after{s Q ) 

there exists s 3 ,...,s n such that s n = s and for all G {3, — 1}, 

(s fe , Sfc+i) G (Gi| a/ ( er . (so) H Tr) U A 1|a/ter(si) U Gi| a/ter(s2) . 

Due to Lemma 17, for all A; G {3, . . . ,n - 1}, (s k , s k+1 ) G (G!| a ^ er ( So ) n 

Tri) U (G 1 | a/£er(s()) n Tr 2 ) U A 1|a/ter(si) U Gi | a / ter ( S2 ) . 
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Because (s 1 ,s 2 ) G Reach 2 , (si,s 2 ) G [(Gi| a/ier(si ) H Tr 2 )A 1| ^^y]* C 

[(Gl | a/ter( S0 ) R ^2) U (Gl|a/ter( So ) H Tr 2 ) U A 1|( ^ er . (si) U d \ a fter(s 2 )] ■ 

Hence, by Proposition 3 applied on the statement ei cmdi,£2, for all k G 
{3, . . . , n - 1}, (s k , Sfc+i) G (Gi| o ^ er ( S0) n Tn) U (Gi| 

Gl|o/ter(s 2 )- 

Given that (Gi| a ^ er ( so ) n Tri) = {Gl\ a fter(so)^after(so) n ^l) U ( G l|o/Cer(si) n Tr l) 

and Gi| a j ier ( S2 ) D Tri C Gi| a j ter ( S2 ), by Proposition 3 applied on the state- 
ment e2 cmd 2 ,£3, we conclude that for all k G {3, . . . ,n — 1}, (s k ,s k+ i) G 

(Gl| a /ier(s )\a/ter(si) n Tr l) U ( G l | a/ier(si) H Tr 2 ) U Ai|^^ U Gi | a /ier(s 2 ) • Let fc 

such that (sjfc,,, s ko+1 ) G (Gi| a ^ er .( So)xa ^ er .( Sl) D Tri) \ G^^). By Lemma 21, 
(si,s ko ) G Exti(s ,si). Therefore (s ko ,s ko+1 ) G Subi. 

Hence (s 2 , s) G [Subi| a/ter ( So ) xa/ier ( Sl) U (Gi\ a fter( Sl ) fl Tr 2 ) U Ai| a/ter(so) U 

Gi | after(s 2 )T- Because Subi | a/ier ( S0 ) xa/ier ( Sl) C A|-^^-, we conclude that (s 2 , s) G 
Ext 2 (si,s 2 ). □ 

To prove the Property 1 of Theorem 1, we have to prove that Q 2 ^ Q'. We 
claim that (a) S' C S 2 (b) Self C Self lUSelf 2 (c) Par' C PariUPar 2 USubi 
(d) Sub' C SubiUSub 2 . Using this claims and the definition of the semantics 
[] • | , we conclude that Q 2 ^ Q'. 

Now, we prove these claims: 

Claim 5. Using the notations of this section, S' C S 2 . 

Proof. Let s G S', so there exists So G S such that (so, s) G Reach' and 
label (s) = £3. According to Lemma 20 there exists si G Si such that (si, s) G 
Reach 2 . Therefore s G S 2 . □ 

Claim 6. Using the notations of this section, Self' C Selfi U Self 2. 

Proof. Let (s,s f ) G Self'. So (s,s') G Tr, and there exists So G S such that 
(sq, s) G Reach'. 

According to Lemma 19 either (sq, s) G Reachi and label(s) 7^ £2, or there 
exists Si G Si such that (s , Si) G Reachi and (si, s) G Reach 2 . 

In the first case, according to Lemma 15, label(s) G Labs( £l cmdi,£2). 
Since label(s) 7^ £2 and by Lemma 18, (s,s') G Tri. Hence, by definition, 
(s, s') G Selfi 

In the second case, by Lemma 14, label(s') G Labsi 1 " 2 cm^,^)- Since 
(s, s') G Tr, by Lemma 18 (s, s') G Tr 2 . Given that s G Reach(Si) and 
(s, s') G Tr 2 , we conclude that (s, s') G Self 2 . □ 
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Claim 7. Using the notations of this section Par' C Par! U Par 2 U Sub!. 

Proof. Let (s, s') G Par'. Therefore, (s, s') G TV and there exists So G S 
and «2 such that (sq, s 2 ) G Reach', (s2,s) G Schedule and s G after(s ). 
According to Lemma 19 there are two cases: 

First case: (sq, s 2 ) G Reachi and label (s 2 ) 7^ £2- Then, using the fact 
that Schedule C Tn, (so, s ) G (1V1 U Aoi a ^ er ( so O *- Because s G after (sq), by 
Lemma 14, label (s) G Labs( £l cmd 1 , £ 2 ) \ {^2}- Hence, according to Lemma 
18, (s, s') G Tn. We conclude that (s, s') G Pari. 

Second case: There exists si G Si such that (so,si) G Reachi, (si,S2) G 
Reach 2 and (si,S2) G Exti(s ,si). Hence (si,s) G Exti(so, si); Schedule = 
Exti(s , si). 

If s G after(si), then, because (si,s) G Reach 2 ; Schedule, by Lemma 14, 
label (s) G Labsi 12 cmrf 2 , £3). So, in this case, by Lemma 18, (s, s') G 7V 2 and 
then (s, s') G Par 2 . 

Let us consider the case s after(si). Given that (so,si) G Reach, 
(si,s) G Exti(si,S2), so by Proposition 3, (s,s r ) G Tri. Hence, (s, s') G 
Subi. □ 

Claim 8. f/sm^ notations of this section Sub' C Subi U Sub 2 . 

Proof. Let (s, s') G Sub'. Then, there exists s and s 2 such that (s ,s 2 ) G 
Reach' and (s 2 , s) G Ext(s , S2). According to Lemma 20, there exists Si G Si 
such that (so,Si) G Reachi and (51,52) G Reach 2 and (si,S2) G Exti(so, Si). 
By Lemma 21 and Lemma 22, (si, s) G Exti(s , «i) and («2, s) G Ext 2 (si, s 2 )- 
Let us consider the case s ^ after (si). Because s G after (sq), then 
s G after(so) \ after(s 1 ). Furthermore, given that (soj s i) G Reachi and 
(si,s) G Reach 2 , by Proposition 3, (s, s') G Tri. We conclude that (s,s') G 
Subi. 

Let us consider the case s G after(si). Because s G after(s ) \ a/ter(s 2 ), 
s G after(si) \ after(s 2 ). By Lemma 14, label (s) G Labs( 2 cmd 2 ,4) ■ Hence, 
by Lemma 18, (s, s') G Tr 2 and therefore, (s, s') G Sub 2 . □ 

3.5.2 Proof of Property 2 of Theorem 1 

In this section, we consider a command ei if(cond)then{ &2 cmdi}else{ e3 cmd2}, (-a 
and an initial configuration Q = (So, Go, A ) 



3 G-COLLECTING SEMANTICS 



28 



Let (S',G',A') = W 1 if{cond)then{ i2 cmd}else{ k cmd},h\(S,G,k). 
Let (S+,G+,A+) = ¥ 1 guardcond,e 2 i(S,G,k). 
Let (Si,Gi,A!) = ] £2 cmGM4|(S + ,G + ,A + >. 
Let (S^,G^,A^) = V 1 guards cond,£ z \{S,Q,k). 
Let (S 2 ,G 2 ,A 2 ) = f 3 cmd 1 ,e^{S^G^kj. 

Let Tr = 7rt lif ( cond ^ then {i 2cmd } else {i 3cmd } e4 . 

Lemma 23. ^re 1 if(cond ^ then ^ 2 cmd y else ^ 3 cmd y e4 = Tre lguardcond e , 2 U T« 2cmdli< > 4 U 

yrtiguard^condfa ^ ^ e 3 cmdi ,£ 4 ' 

Lemma 24. // (s , s) G Reach and s G So, then, one of the three folowing 
properties hold: 

1. s G interf ere Ao ({s }), 

2. or there exists s\ G S + such that (si, s) G Reachi n Ext + (s , si) 

5. or i/iere ermis Si G S-, such that (si, s) G Reach 2 fl Ext^(s , Si) 

Proof. Let us consider the case s interf ere Ao ({so})- Because (s , s) G 
Reach, (s , s) G [(G | a/ier(so) H Tr) U A 0| ^^y]*. 

Therefore, there exists s' and Si such that (s , s' ) G ( A 1 a f ter ( so \ U Schedule ) * , 
(s ,si) G G | a/ier(so ) D Tr and (si,s) G [(G | a/ter(s()) n Tr) U A 0| a/fer(so) ]*. Be- 
cause (s ) s i) e G | a / ter ( S(J ) fl Tr, s G after(s ). By Lemma 11, thread(s ) = 
thread(s' ). By Lemma 13, label(so) = label(s' Q ) = £\. Therefore, due to 
Lemmas 1 and 23, (s' , Si) G Tr^ uardcon(M2 U Tre lguard ^ cond/3 . Either (s ,Si) G 

'Frf-i guard cond,£ 2 01 ( S 0' S l) ^ l lguard^cond,l 3 - 

In the first case, by Lemma 1, thread(s ) = thread(si) and label(si) = £ 2 . 
Therefore, (s , Si) G Reach + and s 1 G S + . There exists a sequence s 2 , s n such 
that s n = s and V/c G {1, . . . n - 1}, (s fe , s k+1 ) G (G | a/ier ( S() ) D Tr) U A 0| a/fer(so) . 

Let us prove by induction on k, that V7c G {1, . . . n}, (sk, Sfc+i) G (Go\ a fter(si)^ 
?rhc m d,£ 4 ) U A | a/fer(so) . Let us consider the case (s fc , s fc+ i) G G | a/ t er(so ) n Tr. 
By induction hypothesis (s u s k ) G [(G | a # er(si ) H Tn 2cmdM ) U A | a/ter(s()) ]*. 
Hence, by Proposition 3, either G T« 1&uard(cW)A or s fc G after(s 1 ). 

If (s fc ,Sfc+i) G T« lguard(cond)A and s fc G after(si) then (s fc ,s fc+ i) G Sub+. 
This is contradictory with Claim 2. Therefore s k G after{s\). By Lemma 
14, label(sk) G Labsi 12 cmd\, £4). Hence, by Lemmas 1 and 23, (si,Sfc) G 

Tr *2 cmdM ■ 

We conclude that (s u s) G [(G | ffl/ter(si) nTr^ cmdA )UA 0| a/ter(so) ]* C Reachi n 
Ext+(s , si)- 
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The second case is similar. □ 
Claim 9. S' C Si U S 2 

Proof. Let s G S'. Therefore there exists So G So such that (so, s) G Reach 
and label (s) — £4 ^ l\. Hence, due to Lemma 13, s ^ interf ere Ao {so}- 

According to Lemma 24, there exists Si such that either (1) Si G S + 
and (si,s) G Reach! fl Ext + (s ,Si), (2) or, Si G S^ and (si,s) G Reach 2 fl 
Ext^(s , si). 

In the first case, by definition, s G Si and in the second case s G S 2 □ 
Claim 10. Self C Self + U Self! U Self ^ U Self 2 . 

Proof. Let (s,s') G Self. Then, there exists s G S ) such that (s ,s) G 
Reach. 

Let us consider the case s G interf ere Ao ({s }). By Lemma 13, label (s) = 
t x . Hence, by Lemmas 1 and 23, (s, s') G Tre lguardcondth U Tre lguard ^ cond/s . 
Hence, (s, s') G Self + U Self ^. 

According to Lemma 24, if s ^ interf ere Ao ({so}), then, there exists 
Si such that either (1) si G S + and (si,s) G Reachi fl Ext + (s ,Si), (2) or, 
si G S^ and (si, s) G Reach 2 fl Ext^(s , Si). 

In the first case, by Lemma 14, label(sk) G Labs{ i2 cmd\,i±). Hence, by 
Lemmas 1 and 23, (si,Sfc) G lri 2cmdii and therefore (s, s') G Selfi. 

In the second case, we similarly conclude that (s, s') G Self 2 . □ 

Claim 11. Par C Par x U Par 2 . 

Proof. Let (s, s') G Par. Therefore, there exists s G S and s 2 such that 
(so, s 2 ) G Reach and (s 2 ,s) G Schedule and s G after(so). Notice that 
thread(so) = thread^) 7^ thread(s). 

Assume by contradiction that s 2 G interf ere({s })- Hence, due to Lema 
11, thread(s) = thread(so). This is contradictory. 

Therefore, according to Lemma 24, there exists si such that either (1) si G 
S + and (si, s) G Reachi H Ext + (s , Si), (2) or, Si G S^ and (si, s) G Reach 2 fl 
Ext-,(so, «i).In the two cases, by Lemma 12, s G after(si). 

In the first case, by Lemma 14, label (s) G Labsi 1 ' 2 cmdi, £4) and therefore, 
by Lemmas 23 and 1, (s,s') G i><! 2cTO(il ^ 4 . Hence, (s, s') G Pari 

In the second case, we similarly conclude that (s, s') G Par 2 . □ 



Claim 12. Sub C Subi U Sub 2 . 
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Proof. Let (s, s') G Sub. Therefore, there exists s Q G S and s 2 G S' such 
that (s ,s 2 ) G Reach and (s2,s) G Ext(s ,S2) and s G after(s ) \ after(s 2 ). 
Notice that thread(s ) = thread(s 2 ) 7^ thread(s). 

Assume by contradiction that S2 G interf ere({s }). Hence, due to 
Lemma 13, label(s 2 ) = t\. This is contradictory with s 2 G S'. 

Therefore, according to Lemma 24, there exists «i such that either (1) Si G 
S + and (si, s) G Reacts fl Ext + (s , Si), (2) or, Si G and (si, s) G Reach 2 fl 
Ext-,(so, si).In the two cases, by Lemma 12, s G after(si). 

In the first case, because s ^ after(s 2 ), by Proposition 3, (s, s') G Tr<i cmd 
Hence, (s, s') G Subi 

In the second case, we similarly conclude that (s, s') G Sub2- □ 

Property 2 of Theorem 1 is a straightforward consequence of Claims 9, 
10, 11, 12. 

3.5.3 Proof of Property 3 of Theorem 1 

In this section, we consider a command £l while(cond){ &2 cmd}, £ 3 and an ini- 
tial configuration Q = (S ,G ,A ). 
Let Q' = (S',G', A') = f 1 while (cond){ i2 cmd}, £ 3 [Q - 
Let Q w = (S w , G w , A w ) = loop^(q ). 
Let Q" = (S",G",A") = \ h while(cond){ £ 2 cmd},£ 3 ^. 
Let K= [Reach, Ext, Self, Par, Sub] = {\ £l while(cond){ &2 cmd}, £ 3 \}Qu>- 
Let Q+ = (S + ,G+,A + ) = f ^guard(cond), 4[ (Q w ). 

Let K + = [Reach + ,Ext + ,Self + ,Par + ,Sub + ] = {| fl g-uarc/(con(/),£ 2 |}(Q w ). 
Let K cmd = [Reach cmd ,Ext cmd , Self cmd , Par cmd ,Sub Cfnd ] = {| £2 cmd, £ 1 |}(Q + ). 
Let = (S^G^) = ^ guard (^cond), £ 3 \ Q w . 

Let = [Reach^,Ext^,Self^,Par^,Sub^] = {| €l g-ivarof(-iconc?), 4|}Qw 
Let Tr = Tr« lwh//e ( cond ^« 2cmrf }^ 3 . 

Lemma 25. 

T re lwhile(cond){ e 2 cmd},e :i = ^ l l guard (^cond),l- A U ^ r l i guard (cond),t 2 U ^^cmd,^ 

Notice that, by definition, Q ^ Qu, 

Lemma 26. VFe use the above notations. Let Sq, S\, . . . , s n , . . . , s m a sequence 
of states such that (so,s m ) G Reach^, (s , s n ) G Reach^ , s„ 6 S u and for all 
k G {0, . . . , m - 1}, (s k , s fc+ i) G (G w | a/ier(so) n Tr) U A^ | a/fer(so) . 
Therefore, (s n , s m ) G Reach^ . 
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Proof. For all k, (s k , s k+1 ) G (G w | a/ter(Sn) n Tr) U (G w | a/ier(so) ^ a/ier(Sn) fl Tr) U 

A ^|a/ter(s )- 

Let k ^ n such that (s fco ,s fco+ i) G (G w | a/ter ( S0 ) xa/ter ( Sn) n Tr). Notice that 
(s n ,s ko ) G Ext w (s ,Sn) and s ko G after (s ) \ after(s n ). Hence, (s fco ,s fco+ i) G 
Sub w C A w . Therefore (s feo ,s fco+1 ) G K,\ after t ai y 

In addition to this, according to Lemma 15, after(s n ) C after (s ), so, for 
all fc ^ ra, (s fc , s fc+ i) G (G w | a/ier(Sn) n Tr) U A^ | a/ter(sg) . □ 

Lemma 27. Using the notations of this section, if s G Reach (So), £/ien, i/iere 
exists Sq G swc/i i/iai: 

1. either (s , s) G Reach+, 

2. or there exists si G S + such that (s , si) G Reach + and (si,s) G 
Reach cm d anc? label (s) ^ £±. 

Proof. Let s G Reach(So). We consider a sequence so, • • • , s n of minimal 
length such that the following properties hold: (1) s n = s, (2) s G S u , 
(3) for all k G {0, . . . ,n - 1}, (s k , s k+1 ) G (G H(l/ter(so) n Tr) U K { after{si)) ■ A 
such sequence exists because S C S w . 

If for all A: G {0, ...,n-l}, (s k ,s k+l ) G Schedule UA^-^^y then (s , s) G 
Reach + fl Reach+ C Reach-,. 

Let us assume, from now, that there exists k G {0, ... ,n — 1} such that 
(s k , s fc+ i) G Gu>\after( s „) n Tr^ wW/e(con(i){ £ 2 cmd} A \ Schedule. Let fc the smallest 
such fc. 

Therefore (s fco ,s fco +i) G G w | a/4er(so) , so, s fco G after(s ). According to 
Lemma 11, thread(so) = thread(s ko ). By Lemma 13, label(so) = label(s ko ). 
But label(so) = £i, therefore, by Lemma 2, (s ko ,s ko+ i) Tre 2cmd ^ 1 . There- 
fore, by Lemma 25, either (s ko , s ko+1 ) G Tre lguard ^ cond)Ai or (s ko ,s ko+1 ) G 

Tr l\ g Uarc j (cond) ,£2 ' 

In the first case, by Lemma 5, label(s ko+ i) = £ 3 . Let us prove by in- 
duction on k that for all k > k , (s k , s k+ i) G K>\ a f ter ^ so -) U Schedule. By 
induction hypothesis (s ko ,s k ) G [ku u^n^s U Schedule]*. Let us consider the 
case (sjfc,Sfc+i) G G w | a # er ( so ) fl Tr. Therefore s fc G after(s ), then by Lemma 
11, thread(s k ) = thread (s ko+ i). By Lemma 13, label (s k ) = label(s ko+ i) = £ 3 . 
So, by Lemma 2, (sfc,Sfc+i) G Schedule. Hence (s 0) s) G Reach-,. 

In the second case, (s(b s fco+i) G Reach + and therefore, by Lemma 5, 
Sko+i G S+. Either there exists k\ > k such that (s kl ,s kl+ i) G G| a / ter ( So ) fl 

(^itfiarrf^concOA U ^ ^ guard (cond) ,e 3 ) 01 there doeS not exists a SUch 
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Assume by contradiction that k\ exists, therefore, by Lemma 5, label(s ko ) = 
l\. According to Lemma 14, thread(s) = thread(so). Hence, (so,s kl ) E 
Reach+. So, by Lemma 26, (s kl ,s n ) E Reach+. This is contradictory with 
the minimality of the path s±, . . . , s n . Therefore k\ does not exists. 

Hence, for all k > k , (s fc , s k+1 ) E (G^^jn^^JUA^^y. Ac- 
cording to proposition 3, for all k > k , (s k , s k+1 ) E {Gu>\ a fter( Sl ) H Tre 2cmd/i ) U 
A ^\ after(s ) - Therefore, (s ko ,s) E Reach+ □ 

Claim 13. Using the notation of this section S' C S^. 

Proof. Let s E S', therefore, s E Reach(So). Furthermore, label(s) = £3. 
Hence, according to Lemma 15, for all si, (si,s) ^ Reach+. Therefore, 
according to Lemma 27, there exists s £ S w such that (s 0) s) G Reach+. 
Hence sG S n . □ 

Claim 14. Self C Self ^ U Self + U Self cmd 

Proof. Let (s,s r ) E Self. According to Lemma 25, (s,s') E Trt Xguarii i^ cond ^^ 

1 rt i guard (cond),l 2 U ^ r ^ cmd ,h ■ 

Let us consider the case (s, s') E Tn lguardhcond)Ai U Tn lguard{cond)/2 . Due 
to Lemma 5, label (s) = t\ Hence, according to Lemma 27, either (s , s) G 
Reach+ or there exists Si G S + such that (si,s) G Reach cmd (contradiction 
with Lemma 15 and label (s) = £1). According to Lemma 16, either label (s) = 
^2 7^ h (contradiction) or s E interf ere Ao (S ) C Reach-, (S^) fl Reach + (S U ,). 
Therefore either (s,s r ) E Self-, or (s,s r ) E Self + . 

Let us consider the case (s,s') E ^ri^ cmdix . Therefore, according to 
Lemma 1, label (s) E Labs ( l2 cmd , ii) \ If s" E Reach^(S^), then, by 

Lemma 16, label(s") E Hence, s ^ Reach+ (S^). So, by Lemma 

27, there exists s E S and Si G S + such that (soj s i) £ Reach + and 
(si, s) G Reach cm d. According to Proposition 3, (s, s') G after (si) and there- 
fore (s, s') E Self cmd . □ 



Claim 15. Par C Par 



cmd 



Proof. Let (s, s') E Par. There exists So and S2 such that (so, S2) G Reach, 
By Lemma 16, either (s , $2) E Reach+ or there exists Si G S + such that 
(so? s i) £ Reach + and (si,«2) E Reach cmrf and label(s 2 ) 7^ £2- 

In the first case, because s E after(s ) 7 by Lemma 11, thread(s) = 
thread(so). But, by definition of Schedule and Reach+, thread(s 2 ) 7^ thread(s) 
and thread(so) = thread^). This is contradictory. 
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In the second case, by Proposition 3, s G after si. Because thread(s) ^ 
thread(so) = thread(s 2 ), by Lemma 14, label(s) G Labsi 1 ' 2 cmd, £±) \ {£ 2 }. 
Therefore, by Lemmas 25 and 5, (s,s') G Trt 2cmdil . Hence (s,s') G Par cmd 

□ 

Claim 16. Sub C Sub^ 

Proof. Let (s, s') G Sub. Therefore, there exists SoS^ and si G S' such that 
(so, Si) G Reach and (si, s) G Ext(s , Si). 

Notice that label(si) = £3, therefore, according to Lemma 15, Si ^ 
Reach + ; Reach cm d(S^). hence, by Lemma 27, (so, s i) G Reach^. 

(Sl,s) G Ext(s ,Sl) C {G u \after(so) R fr ) U A ^| a/ter(s ) U G ^\after( Sl )- By 

Proposition 3, (s u s) G (G w | a/ier(so) n T« lguard( ^ con(i)A ) U (G w | a/ier(si) n TV v 

V™! guard (--cond), it) U A ^|a/ter(s ) U G ^|a/«er(si) = Ext-,(si, S 2 ). □ 

Property 3 of Theorem 1 is a straightforward consequence of Claims 13, 
14, 15 and 16. 

3.5.4 Proof of Property 4 of Theorem 1 

Let Q = (S , G , A ) a configuration. 

Let Q' = (S',G',A') = \^ create^ 2 cmd), £ 3 J (Q ) 

Let K= [Reach, Ext, Self, Par, Sub] = create^ 2 cmd), £ 3 \}(Q ) 

Let Qi = (Si,Gi,Ai) = ^spawn(£ 2 ), £ 3 | (Qo) 

Let Ki = [Reachi,Exti, Self 1, Pari, Subi] = {\ h spawn(£ 2 ) , 4|}(Qo) 
Let Q 2 = (S 2 ,G 2 ,A 2 ) = init-child^(Qi) 

Let Goo = 3 uaranUi t2cmd,e.oo^ 2 ^ 

Let K 3 = [Reach 3 , Ext 3 , Self 3 , Par 3 , Sub 3 ] = {\ e2 cmd,£ 00 \}(S 2 ,G 00 , k 2 ) 
Let Q 3 = (S 3 ,G 3 ,A 3 ) = combine Qo (G 00 ) Let Tr = Tn lcreate{ i 2cmd))h 

Lemma 28. Tre lcreate (i 2cmd ^ e3 = Tre lspawn ^ 2 ^ e3 U Tre 2cmd/oo 

Lemma 29. Let T a set of transitions. Let s , S\, s 2 , s and s' such that 
(s , Si) G Reachi, s 2 G schedule-childjsi}, label (si) = £3, (s 2 ,s) G T* and 
s G after (so). 

Therefore, s G after(si) U after(s 2 ). 

Proof. According to Lemma 16, there exists s' Q and s[ such that, s' Q G 
interfere Ao {s }, (s' , s[) G T« lspawn(fe)A \ Schedule, and si G interf ereA^s'J. 
By Lemmas 11 and 1, thread(so) = thread(s' Q ) = thread (s[) = thread(si). 
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Let Iq = thread(s ) and i = thread(s). 

Let go, g' , j, gi and g such that, respectively, the genealogy of so, s' , s' f , 
si, s 2 , s is g , go-g'o, go-g' -(io,Z2,j), 9o-g'o-(io,^2,j)-gi, 9o'9o-(io,h,j)-9u 
9o • 9o " (io,^2,j) ■ 9i ■ 9- Notice that «i and s 2 have the same genealogy. 

Because (s ,s' ) G [A | a/ter(s(l) U Schedule}*, by Lemma 10, desc^{i } = 

{*>}■ 

Because (s'( , si) G [A | a/ter ( S0 ) U5'c/iec?M/e]*, by Lemma 10, rfesc( io ^ 2j j). fll {i } = 

^esc(i o/2ij) {i } = {^o, j}. 

By definition of desc, desc^.( io ^ 2 j). gi . fl ({i }) = desc g [desc( ioAj j). fll (desc^{i })] = 
desc g {i ,j} By definition of dose, desc g ^ io/2d y gi . g ({i }) = desc g ({i }) U 
rfeac fl (0'})- 

Because s G after(so), i G desc g > o .( i0; t 2 ,j). g2 -g({io}) ■ Therefore either i G 
desc 9 ({i }) or i G desc g ({j})- If z G desc 9 ({i }) then s G after(s 1 ). If 
i G <iesc 9 ({j}) then s G after(s 2 ). □ 

Lemma 30. Ze£ s , si, s 2 , s and s' such that (s ,si) G Reachi, s 2 G 
schedule-childjsi}, label{s\) = £3, (s 2 ,s) G (Go U A ) * and (s,s') G 

Go\after(s ) ^ ^ ■ 

Therefore, s G after (s 2 ) (i.e., (s,s') G G | a/ier ( S2 ) HTrj. 

Proof. Due to Lemma 29, s G after (si) U after (s 2 ). Assume by contradiction 
that s G after (si). Therefore, by Lemma 11, thread(s) = thread(s\) and by 
Lemma 13, label (s) = label (si) = £3. This is contradictory with Lemma 1 
which implies label (s) 7^ £ 3 . □ 

Lemma 31. If (s , s) G Reach then: 

• either s G interf ere Ao (so) anc? label (s) = £\ 

• or there exists S\, s 2 , S3 such that (sq, S\) G Reach 1; (s\, s 2 ) G Schedule, 

( s 2) S3) G Reach 3 nExt 1 (s , si), (s 3 ,s) G Schedule and s 2 G schedule-childjsi}. 
Furthermore label(si) = label (s) = £3 and s G interf ere Go uA { s i}- 

Proof. If (s , s) G [Ao| a j fer(so ) U Schedule]* then s G interf ere Ao (so) and by 
Lemma 13, label (s) = £\. 

Then, let us consider the other case: (s , s) ^ [^o| a /ter(s ) ^ Schedule}*. 
Therefore, there exists s' Q and si such that (s , s' ) G [ho\ a f ter ( so ) U Schedule]*, 
(s' , si) G (G | a/ t er(so ) n Tr) and (si, s) G [(G | a/ier(so) H <zv) U A 0| a/ter(so) ]*. 
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Due to Lemma 11, because s' Q G after(s ), thread(s' ) = thread(s ). Ac- 
cording to Lemma 5, thread(si) = thread(s' Q ) = thread(so) and label (si) = £3. 
Therefore (s ,Si) G Reachi. 

Let (ii, Pi, <7i, gi) — si. Let g[ and j such that g[ ■ (i,£2, j) — gi- Let s 2 = 
(j, Pi, <Ji, gi). Therefore, s 2 G schedule-childjsi} and (si,s 2 ) G Schedule. 
Let (i,P,a,g) = s and s 3 = (j,P,a,g). Therefore, (s 3 ,s) G Schedule. 

Given that Schedule C A nG riTr, we conclude that (s 2 , S3) G [(Go| a /ter(s ) ( ~ l 
Tr)UA | a ^ er ./ So J *. Using Lemma 30 and a straightforward induction, (s 2 , S3) G 
[(Go|a/ter(«2) n * r ) u A 0|^^)]*- Then (s 2 ,S3) e Exti(s ,si). Furthermore 
by Lemma 7, after(s 2 ) C after(s ). Hence (s 2 , S3) G [(G | a / ter ( S2 ) fl Tr) U 
Ao | a/ter(s 2 ) ]*" Therefore, by Proposition 1, (s 2 , s 3 ) G Reach 3 . □ 

Claim 17. S' C interf ere Go uA (Si). 

Proof. Let s G S'. Therefore there exists s G S such that (s , s) G Reach 
and label (s) = ^ ^ £1. According to Lemma 31 there exists si such that 
(s , Si) G Reachi, label (si) = £3 and s G interf ere GoUAo {si}. Therefore 
Si G Si and s G interf ere GoUAo (Si). □ 

Claim 18. Self C Selfi. 

Proof. Let (s, s') G Self. According to Lemma 1, label (s) 7^ £3. There 
exists s ^ S such that (s , s) G Reach. Therefore, according to lemma 
31, s G interf ere Ao {s }. Therefore (so,s) G Reachi and, by Lemma 13, 
label (s) = £1. Due to Lemmas 2 and 28, (s,s f ) G ^ lspawn( ^ 2 ) ^. Hence 
(s, s') G Self 1. " □ 

Claim 19. Par C Self 3 U Par 3 . 

Proof. Let (s, s') G Par. Therefore, there exists So G So such that (so, s) G 
Reach; Schedule and s G after (so). Notice that by definition of Schedule, 
thread(so) 7^ thread(s). 

Assume by contradiction, that s G Schedule{interf ere Ao {so}). Due to 
Lemma 11, thread(so) = thread(s). This is contradictory. 

Hence, by Lemma 31, there exists Si,s 2 ,s 3 such that (so,Si) G Reachi, 
(si,s 2 ) G Schedule, (s 2 ,s 3 ) G Reach 3 , (s 3 ,s) G Schedule, s 2 G schedule-childjsi}, 
and label (si) = label(s) = £3. 

Hence, Si G S 1 , s 2 G S 2 . 

According to Lemma 8 after (si) fl after(s 2 ) = 0. Given that (s 2 , s) G 
Reach; Schedule; Schedule, (s 2 ,s) G (G U A ) * Hence, du to Lemma 

26, s G after(s 2 ). 
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If thread (s) = thread(s 2 ), then (s 2 , s) G Reach 3 and (s,s') G Self 3 . If 
thread(s) ^ thread(s 2 ), then (s,s') G Par 3 . □ 

Claim 20. Sub C Self 3 U Par 3 . 

Proof. Let (s, s') G Sub. There exists so, s 4 such that (so, S4) G Reach and 
(S4, s) G Ext(s ,s 4 ) and s 4 G S'. By Lemma 31, there exists Si,s 2 ,s 3 such 
that (s ,Si) G Reach! , s 2 G schedule-child A ({s!}), (s 2 ,s 3 ) G Reach 3 fl 
Exti(so, s i) and (s 3 , s 4 ) G Schedule. 

Furthermore, s G after(s ) \ after (s 4). Due to Lemma 29, either s G 
after (si) \ after (34) or s G after (s 2 ) \ a/ter(s 4 ). 

Assume by contradiction that s G after (si)\ after (s 4). Therefore (s, s') G 
Subi. But, by Claim 2, Subi = 0. Therefore s G after (s 2 ) \ after (34). 

Let (i,P,cr,g) = s and s 5 = (thread (s 2 ), P 5 , a 5 , g 5 ). 

Given that (s 4 , s) G Ext(s ,s 4 ), (s 4 , s) G [(G | a/ier(so) fl Tr) U A 2| a/fer(so) ]* 
and by Lemma 29, (s 4 , s) G [(G | a/ t er ( Sl )ua/ter( S2 ) n Tr) U A 2| a/fer(so) ]*. 

By definition of post, after(si) C post(£ 2 ). Furthermore by Lemma 8, 
after (si) fl after(s 2 ) = 0. Therefore after (si) C post(£ 2 ) \ after (s 2 ). Hence, 
(s 4 , s) G [(G | 

after(s2) n Tr ) u A 2|^M u Go| P ost(fe)xa/ter( S2 )]*- By Lemma 7, 
after(s 2 ) C after(s), therefore (s 4 , s) G [(Go| a/ter (, 2 )nTr)U(A 2 UGo| post (^ ) ) | a/ter(s()) ]*. 
By Proposition 1, (s 4 , s) G [(Goo| a/ier(s2) n Tr) U (A 2 U G | post (^)) | afier(so) ]*. 

Let (i,P,a,g) = s and S5 = (thread (s 2 ), P, a, g). Therefore, (s 2 , S5) G 
Reach 3 . 

If i = thread(s 2 ), then s 5 = s and (s, s') G Self 3 . If i 7^ thread(s 2 ), then 
(s 5 , s) G Schedule and (s, s') G Par 3 . □ 

3.6 Overapproximation of the Execution of a Program 

Lemma 32. For all P and a, after ((main, P, a, e)) = States. 

in particular, if Init is the set of initial states of a program and s G Init, 
then after(s) = States. 

The following proposition shows the connection between the operational 
and the G-collecting semantics. 

Proposition 4 (Connection with the operational semantics). Consider a 
program e cmd,£ OD and its set of initial states Init. Let: 

(S',G',A') = f cmd, loc^ilmt, Goo, Schedule) 
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with Goo = guarantee n e n (Init, Schedule, Schedule) 

Then: 

S' = {(main,P,a,g)e<rrt cmdioo (Init)\P(main)=£ 00 } 
G' = Goo = {(s, s') G TTi cmd ^ I s G Trt cmd/oc (Imt)} U Schedule 
A' = {(s, s') G Tr* cm<Moo I s G Tn cmd/oc (Imt) A thread(s) ^ main} 
U Schedule 

Proof. We only have to prove that Reach = {s G TrJ cmd £ (Init) \ thread(s) = 
main}. □ 

Proof. Let Si G {s G Tr* cmd e ^ (Init) \ thread(s) = main}. 

There exists So G S such that (so, s) G Tr* cmd ^ By proposition 1, (s , s) G 

Goo n Tr* cmd/oo 

By Lemma 32, (s , s)(G ODlafter(so) n Trj^^J U Schedule \ after{s{)) . Hence 
(s ,s). 

It is straightforward to check that Reach C {s G Tr* cmd ( (Init) \ thread(s) 
main}. □ 

Recall that Tr* cmd e (Init) is the set of states that occur on paths starting 
from Init. S' represents all final states reachable by the whole program from 
an initial state. G' represents all transitions that may be done during any 
execution of the program and A' represents transitions of children of main. 



4 Abstract Semantics 

4.1 Abstraction 

Recall from the theory of abstract interpretation [4] that a Galois con- 
nection [23] between a concrete complete lattice X and an abstract complete 
lattice Y is a pair of monotonic functions a : X — > Y and 7 : Y — > X such 
that Wx G X, My G Y, ^ y ^ x ^ 7(1/); « is called the abstraction func- 
tion and 7 the concretization function. Product lattices are ordered by the 
product ordering and sets of functions from X to a lattice L are ordered by 
the pointwise ordering / ^ g ^ Wx G X, f(x) ^ g(x). A monotonic function 
ft is an abstraction of a monotonic function ft if and only if a o ft o 7 ^ ft. 
It is a classical result [23] that an adjoint uniquely determines the other in 
a Galois connection; therefore, we sometimes omit the abstraction function 
(lower adjoint) or the concretization function (upper adjoint). 
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Our concrete lattices are the powersets P(States) and V(Tr) ordered by 
inclusion. Remember, our goal is to adapt any given single-thread analysis 
in a multithreaded setting. Accordingly, we are given an abstract complete 
lattice S> of abstract states and an abstract complete lattice M of abstract 
transitions. These concrete and abstract lattices are linked by two Galois 
connections, respectively 0^,7® and 0^,7^. We assume that abstractions 
of states and transitions depend only on stores and that all the transitions 
that leave the store unchanged are in 7^(_L). This assumption allows us to 
abstract guard and spawn as the least abstract transition _L. 

We also assume we are 
given the abstract operators 
of Table 1, which are cor- 
rect abstraction of the cor- 
responding concrete functions. 
We assume l± E Labels a 
special label which is never 
used in statements. Further- 
more, we define post(£*) = 
States. 

We define a Galois con- 
nection between ^(States) 
andP(Labels): a L (S) = {£ E 
Labels | S n post(f) ^ 0} 
and 7l(-0 = flteLabeisxi: P os ' t (^) convention, this set is States when 
l = Labels). The set a L (S) represents the set of labels that may have been 
encountered before reaching this point of the program. 

Note that we have two distinct ways of abstracting states (i, P, a, g), either 

bv 

using ct®, which only depends on the store c, or by using ckl which only 
depends on the genealogy g and the current thread i. The latter is specific 
to the multithreaded case, and is used to infer information about possible 
interferences. 

Just as a @ was not enough to abstract states in the multithreaded setting, 
is not enough, and lose the information that a given transition is or not 
in a given post(£). This information is needed because G| post ^) is used in 
Theorem 1 and Fig. 7. Let us introduce the following Galois connection 
between the concrete lattice P(Tr) and the abstract lattice ^ Labels ; the 
product of |Labels| copies of P(Tr), to this end: q;k(G) = A£.a^(G| post (£)) 
7k W = {(s,s') E TV I W E Labels, s E post(£) => (s,s') E 7 «(ac (£))}. 



Concrete function 


Abstract func- 
tion 


X(i,P,a,g).(i,P, write i v -- e (cr) 


g^ritei v:=e : 
& -> & 


AA, S.interf ere A (S) 


inter : & X -> 


XS.{(i,P,a,g),(i,P',a',g') € 
Tr| 

(i,P,a,g) E S A 0' G 
writei v:=e (S)} 


writt-intir\ v . =e : 


XS.{{i,P,a,h) e S | 
bool(a, cond) = true} 


en f° rce cond : 
9 -► @ 



Table 1: Given abstractions 
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Ki = a K (G) is an abstraction of the "guarantee condition": represents 
the whole set G, and represents the interferences of a child with its 

parent, i.e., abstracts G| post ^). 

Abstract configurations are tuples (c,L, K, i) G ^xP(Labels)x^ Labels x 
& such that inter iC = C and G L. The meaning of each component of an 
abstract configuration is given by the Galois connection a c f g ,7cfg : 

«cfg(S, G, A) = (inter aM{k) (a<z(S)), a L (S), a K (G), a«(A)) 
7 cfg (S,G,A) = (7»(c) n7L(i),7k(sc),7*W) 

C abstracts the possible current stores S. L abstracts the labels encountered 
so far in the execution. / is an abstraction of interferences A. 

4.2 Applications: Non- Relational Stores and Gen/Kill 
Analyses 

As an application, we show some concrete and abstract stores that can be 
used in practice. We define a Galois connection a st0 re, Istore between concrete 
and abstract stores and encode both abstract states and abstract transitions 
as abstract stores, i.e., S> — 3$. Abstract states are concretized by: 

72,(0-") = {(i,P,a,g) | a G istorei.^)}- 

Non-relational store Such a store is a map from the set of variables Var 
to some set V 1, of concrete values, and abstract stores are maps from n/ar 
to some complete lattice V" of abstract values. Given a Galois connection 
a v , 7 V between V b and V", the following is a classical, so called non-relational 
abstraction of stores: 

a store (a) = Xx.a & (o-(x)) and 7 store (a' tl ) = {a \ Vx, a(x) G 7®(^)}- 

Let val c (e) and addr c (lv) be the abstract value of the expression e and 
the set of variables that may be represented by Iv, respectively, in the context 
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C. 

7«((7*) = {((i,P,a,h),{i',P',a',h'))\yx,a'(x)e^(a\x))U{a( 

write x . =e (c) = C \x i — ^ ua/ c (e)] 

writei v . =e (c) = [J KTtte X :=e(c) 

write-interi v:=e (c) = Xx.if x G addr c {lv) then val c (e) else _L 

inter \C) = I UC 

enforce x (a) = a[x i— > true"] and enforce ^Jyo) = a[x h- > /o/se"] 

Gen/kill analyses In such analyses [6], stores are sets, e.g., sets of ini- 
tialized variables, sets of edges of a point-to graph. The set of stores is 
V(X) for some set X, ^ = ^ = P(X), and the abstraction is trivial 
ttstore = Istore = Each gen/kill analysis gives, for each assignment, two 
sets: gen(lv := e, a) and kill(lv := e,a). These sets may take the current 
store a into account (e.g. Rugina and Rinard's "strong flag" [12, 13]); gen 
(resp. kill) is monotonic (resp. decreasing) in a. We define the concretization 
of transitions and the abstract operators: 

7*(<7») = {(i,P,<7,/0^(^i*</,/OI^C*U<7»} 

writei v:=e (c) = (c \ kill(lv : = e, cr)) U gen(lv := e, a) 

write-interi v:=e (c) = gen(lv : = e, O") 

inter j{C) = I U C 

enforce (<t) — C 

4.3 Semantics of Commands 
Lemma 33. cc^S) = a^interf ere A (S)). 
Lemma 34. a i (schedule-child(S)) = A£._L. 

Lemma 35. Zei Gi anc? G 2 two set of transitions and S2 = {s | 3s' : (s, s') G 
G 2 }. 

Hence, a^(GiUG 2 ) ^ Xi.if £ G c^^) £/ien 3c(£)Uwrtte-t»ter; 1 , :=e (c) eke %.{£) 
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assign, (c,L,9t, i) 


def 


(inter, o zi>ritei v:=e (c), L, , i) 


with %." = Xi.if £ E L then %_(£) U w rite-inter i v , =e {c) else %,(£) 


3 uard condiC^'^' 1 ) 


def 


(inter, o enforce cond (c) , L , i) 


spawn £ (c, L, HC, l) 


def 


(c,l\j{£},x,i) 


chili -spawn ,(c , L, %i, i) 


def 


(inter lUK (e)(c),L,X£.±,I U %_(£)) 


com Bine { c ,l,x,i)(k') 


def 


(inter lUK/{i ^(c),L, <K U %' , I U %.'{£*)) 


execute- thread e cmd ,e,c,L,i 


def 


%! 


with (c',l',!k!,i') 




t\ e cmd,e f \)(c,L,<K,i) 


guarantee,, cmd/ ,((C, L, 2£, /)) 


def 


e*ecute-threaiY cmdi , cLi {%) 



Figure 8: Basic abstract semantic functions 



The functions of Fig. 8 abstract the corresponding functions of the G- 
collecting semantics (See Fig. 7). 

Proposition 5. The abstract functions assign [v , =e , guard cond , spawn^, child -spaw 
combine and guarantee l( , , are abstractions of the concrete functions ^ e lv := 
e,£'l \\ £ guard(cond), C e\, ^spawn(£ 2 ), £ z \, init-child^o f ^spawn(£ 2 ), £ 3 § , 
combine and guarantee n n respectively. 

Proof. The cases of combine and guarantee e cmd are straightforward. The case 
of child-spawn t is a straightforward consequence of Lemma 34. 

Let (c,L,!K.,i) an abstract configuration and (S,G, A) = 7 c f g (c, L, i). 
Therefore S = interf ere A (S). 

Let (S',G',A') = pv :=e,f| and (c', l\ %' , i') = assign lv . =e (c, L, sc, /). 

Therefore, by definition, inter J o zotitcii v .— e £/ o inter j . By Proposition 2, 
S' = interf ere A (fr<! to . =e ^ \ Schedule(interf ere A (S))) . Hence a @ (S') ^ c' . 

According to Proposition 2, G' C GUG new with G new = {(s, s') E Tri lbasic ^ 2 \ 
s E interf ere A (S)} = {(s,s r ) E Tn lbasic/2 \ s E S}. Hence a a (G new ) < 
write-interei v .— e gi(c) . 

Therefore by Lemma 35: 
aK(G') < \£.if £ E l then %.[£) U w 'rite-inter iv-e(c) else %_(£) 

If (s,s') E Trti v . =e: t> then, s' E post(£) s E post(f). Therefore, by 
Lemma 33, eei,(S) = a L (S"). 

Hence a cfg ((S', G', A')) ^ (c', l', %! , /')• Given that a M (lri guard{cond) ^) = 
_L and V(s, s') E Tr e guar d{cond),t' i s ' e post(£) s E post(£), we prove in the 
same way that guard cond is an abstraction of ^ e guard(cond),£'^. 
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def 




<\ e lv.= e\)d 






(f 1 cmdi, 12 cmrf 2 |)Q. 


def 


S\ e2 cmd 2 \> o f 1 cmdiDo, 


<\ ei while(cond){ e2 cmd}\)Q 


def 




with (oop(Q,') 


def 


{\cmd\ O guard. cond d') U Q,' 


(f 1 create^ 2 cmd))Q 


def 


combiniQj o guarantee^ cm ^ ° cftifrf - spawn ^ (O.) 


with qJ 


def 


spawn e {Cl) 



Figure 9: Abstract semantics 



Given that a^(Tr« lspaH/n( ^ )A ) = J_ and V(s, s') G Tr« lspawn( ^ )A , s' G post(f) ^ 
s G post(£) \/ £ = £2, we prove in the same way thatspawn^ is an abstraction 

of^spai/i/n^),^- " □ 

The assign lv , =e function updates 3C by adding the modification of the store 
to all labels encountered so far (those which are in l). It does not change 
l because no thread is created. Notice that in the case of a non-relational 
store, we can simplify function assign using the fact that inter, o write x:=e (c) = 
C \x 1 — ^ val c (e) U i(x)]. 

The abstract semantics is defined by induction on syntax, see Fig. 9, and, 
with Prop. 5, it is straightforward to check the soundness of this semantics: 

Theorem 2 (Soundness). <\cmd,£\) is an abstraction of |cmc?,£|. 
4.4 Example 

Consider Fig. 10 and the non-relational store of ranges [4]. We will apply 
our algorithm on this example. 

Our algorithm computes a first time execute- thread , then, the fixpoint is 
not reached, and then, execute-thread is computed another time. 

1. Initial configuration : Qo = (Co, {£*}, ^b, -L) where Co = [y =?,z =?] 
and Lo = {£*} and 3iCo = A£._L and Iq = _L. 

2. The configuration Q.i = '■= 0; i2 z := 0,£^(Qq) is computed. Qi = 
(Ci, {4}, tKi, -L) where Ci = [y = 0, z = 0] and 3d = 4 i-> [y = 0, z = 
0]. The £ and / componnents are not changed because no new thread 
is created. 
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3. The configuration Q2 = child -spawn ^ (Qi) is computed. Q2 = (C2, {£*}, ^2, -L) 
where C2 = C\ and = A£._L. Notice that because 9a(£ 3 ) = _L the 
equality C2 = C\ holds. 

4. The configuration Q3 = |^ 4 y := y + z, 4o[](Q2) is computed. Q3 = 
(c 3 , {4}, -L) where c 3 = [y = 0, z = 0] and % = 4 >-»■ [y = 0] . 

5. The configuration Q4 = com6ine spamn (^(Qs) is computed. Q4 = (c 4 , {4, £3}, 2*^, 14). 
C4 = [y = 0, z = 0] and 3C 4 = [€* i-> [y = 0, z — 0]] and 14— [y — 0]. 

6. The configuration Qs = [j^z := 3, 4o| Q4 is computed. Q5 = {c 5 , {4, 4}, ^Cs, *s)- 
C5 = [y = 0, z = 3] and % = [4 | - > fe/ = 0,z = [0, 3]] and / 5 = j 4 . 

Then, we compute a second time execute-thread , on a new initial configu- 
ration (<To,A), J o)- 

Noting change, except at the step 3, when child -spawn ' 
is applied. The configuration obtained is then Q, 2 ' = 
(C2, {4}, ^) where ^ = [y = 0,z = [0,3]] and 
J2 = [-2 = 3]. Then, the algorithm discovers that the 
value of y may be 3. 

The details of the execution of the algorithm is 
given in the following tabular: 



■= 0; e ' 2 z 


:=0; 


^ create ( e4 y 


:=y + z); 


z . 3 , £qq 




Figure 10: 


Exam- 


pie 
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c 


r 
.L 


A. 


r 
i 


Initial configuration 


y = ? 

7 — ? 


{4} 


\£.± 


1 


DV=0,€ 2 ] 


y = o 

7 — ? 


{4} 


4 ^ y = 


1 




y = o 

z = 


{4} 


4 >— *• y = 0, z = 


1 


child -spawn ^ 


y = 
z = 


{4} 


xe.± 


1 




y = 
z = 


{4} 


4 -> y = o 


1 


combine sraan {.) 


y = 
z = 


{4,4} 


4 >-> y = 0, z = 


y = 


^z:=3,4o| 


y = 

z = 3 


{4,4} 


4 >-> y = o, z = [0, 3] 

4 h_ ► z = 3 


y = 


Initial configuration 


y = ? 
z — ? 


{4} 


4 -> y = 0,z=[0,3] 


1 


D ft y:=0,€ 2 ] 


y = 

7 — ? 


{4} 


4 >-> y = 0, z = [0, 3] 


1 




y = o 

z = 


{Q 


4 >-> y = 0, z = [0, 3] 
4 h-> z = 3 


1 


child -spawn ^ 


y = 
z = [0,3] 


{4} 


xe.± 


z = 3 


^y.= y + z4oo\ 


y = [0,3] 

z = [0,3] 


{4} 


4^y = [0,3] 


z = 3 


combine spamn {.) 


y = [0,3] 

z = 


{4,4} 


4 >-> y = [0,3],z = [0,3] 

4 *■ z = 3 


y = [o,3] 


^z:=3,4o[ 


y = [o,3] 

z = 3 


{4,4} 


4 >-> y = [0,3],z= [0,3] 
4 ► z = 3 


y= [0,3] 



5 Practical Results 

The abstract semantics is denotational, so we may compute it recursively. 
This requires to compute fixpoints and may fail to terminate. For this rea- 
son, each time we have to compute f^(X) we compute instead the over- 
approximation _4 V , where V is a widening operator, in the following way: 
1. Assign X 1 := X 2. Compute X 2 := f(X ± ) 3. If X 2 < X 1 then returns X 2 , 
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otherwise, 4. Assign Xi := XiS/X 2 and go back to 2. Our final algorithm 
is to compute recursively guarantee t cmd e applied to the initial configuration 
(T, {I*}, \£.-L, _L), overapproximating all fixpoint computations. 

We have implemented 
two tools, Parint and MT- 
Penjili, in Ocaml with the 



two different abstract stores- 
The first one maps vari- 
ables to integer intervals 
and computes an over- 
approximation of the val- 
ues of the variables. The 





L.o.C. 


Parint 


MT-Penjili 






time 


time 


false 
alarms 


]j 

Message 


65 


0.05 


0.20s 





s ' Embedded 


27 100 




0.34s 


7 


Test 12 


342 




3.7s 


1 


Test 15 


414 


3.8 







Table 2: Benchmarks 



second one extends the analysis of Allamigeon et al. [2], which focuses on 
pointers, integers, C-style strings and structs and detects array overflows. 
It analyzes programs in full fledged C (except for dynamic memory alloca- 
tion library routines) that use the Pthreads multithread library. We ignore 
mutexes and condition variables in these implementations. This is sound be- 
cause mutexes and condition variables only restrict possible transitions. We 
lose precision if mutexes are used to create atomic blocks, but not if they are 
used only to prevent data-races. 

In Table 2 we show some results on benchmarks of differents sizes. L.o.C. 
means "Lines of Code". "Message" is a C file, with 3 threads: one thread 
sends an integer message to another through a shared variable. "Embedded" 
is extracted from embedded C code with two threads. "Test 12" and "Test 
15" are sets of 12 and 15 files respectively, each one focusing on a specific 
thread interaction. 

To give an idea of the precision of the analysis, we indicate how many 
false alarms were raised. Our preliminary experiments show that our algo- 
rithm loses precision in two ways: 1. through the (single-thread) abstraction 
on stores 2. by abstraction on interferences. Indeed, even though our algo- 
rithm takes the order of transitions into account for the current thread, it 
considers that interference transitions may be executed in an arbitrary order 
and arbitrary many times. This does not cause any loss in "Message", since 
the thread which send the message never put an incorrect value in the shared 
variable. Despite the fact that "Embedded" is a large excerpt of an actual 
industrial code, the loss of precision is moderate: 7 false alarms are reported 
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on a total of 27 100 lines. Furthermore, because of this arbitrary order, our 
analysis straightforwardly extends to models with "relaxed-consistency" and 
"temporary" view of thread memory due to the use of cache, e.g., OpenMP. 

6 Complexity 

The complexity of our algorithm greatly depends on widening and narrowing 
operators. Given a program e °prog, £oo, the slowness of the widening and 
narrowing in an integer w such that: widening-narrowing stops in always 
at most w steps on each loop and whenever guarantee is computed (which 
also requires doing an abstract fixpoint computation). Let the nesting depth 
of a program be the nesting depth of while and of create which 2 have a 
subcommand create. 

Proposition 6. Let d be the nesting depth, n the number of commands of 
our program, and, w the slowless of our widening. The time complexity of 
our analysis is 0(nw d+1 ) assuming operations on abstract stores are done in 
constant time. 

This is comparable to the 0{nw d ) complexity of the corresponding single- 
thread analysis, and certainly much better that the combinatorial explosion 
of interleaving-based analyses. Furthermore, this is beter than polynomial in 
an exponential number of states [15]. 

Proof. Let c( £ cmd, £'), n( e cmd,£') and d( e cmd,£') and w( e cmd,£') be the 
complexity of analyzing l cmd, £', the size of e cmd, £' and the nesting depth of 
e cmd, £', the slowless of the widening and narrowing on e cmd, £' respectively. 
Let a and k the complexity of assign and of reading %_ {£) respectively. 

Proposition 6 is a straightforward consequence of the following lemma 3 : 

Lemma 36. The complexity of computing (fcmd, £'\jQ, is 0(an(w + k)w d ~ v ) 

This lemma is proven by induction. 

c(lv := e) = a 

c( £l cmd\\ 1-2 cmd 2 , £3) = c( £l cmd\, £ 2 ) + c( £2 cmd 2 , £3) 

2 In our Semantics, each create needs a fixpoint computation, except create with no 
subcommand create. 

3 The functions arguments are omitted in the name of simplicity. 
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c( £l while(cond){ e2 cmd},£ 3 ) < w( h while (cond){ £2 cmd}, £ 3 ) x c(^ 2 cmd,t x ) 

If 12 cmd does not contain any subcommand create, then the fixpoint 
computation terminates in one step: c( ei create^ 2 cmd) , £ 3 ) = k + c{ i2 cmd) 
Else: c( £l create^ 2 cmd), £ 3 ) = k + w( h create^ 2 cmd), £ 3 )) x c( e ' 2 cmd) □ □ 

6.1 Complexity of Operations on ^ Labels 

Notice that we have assumed that operation on ^ Labels are done in con- 
stant time in Proposition 6. This abstract store may be represented in 
different ways. The main problem is the complexity of the assign func- 
tion, which computes a union for each element in l. The naive approach 
is to represent %. G ^ Labels as a map from "P(Labels) to Assuming 
that operations on maps are done in constant time, this approach yields 
a 0(tnw d ) complexity where t is the number 4 of creates in the program. 
We may also represent %. G ^ Labels as some map %m from P(Labels) 
to & such that %{€) = [J L5e Km(-l) and the function assign is done in 
constant time : assign, . = (c,L,Ki,l) = (inter, o zuritei v -- e {c) , L , 3Cm[x h- > 

%m{ l ) U ivrite-interi v -- e (c)], i). Nevertheless, to access to the value k(£) 
may need up to t operations, which increases the complexity of child -spawn 
and combim. The complexity is then 0(n(w + 

6.2 Compexity of Widdenning 

The slowness of the widening and narrowing operators, w, depends on the 
abstraction. Nevertheless, a widening is supposed to be fast. 

Consider the naive widening on intervals : [x, x'\ V[y, y'] = \z',z'\ where 
J x xiy^x J x' if y ^ x 



This widening never widen more than two times on the same variable. There- 
fore this naive widening is linear in the worst case. 

4 This is different to the number of threads since an arbitrary number of threads may 
be created at the same location. 
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t\ £o par{ £l cmd 1 \ e2 cmd 2 }\)((l) = (c 1 n c„l, %' , h U i 2 ) 

with (d, Xj, -Ku *i) — 3 uaranUe -i lcmdltioo o child -spawn ^((l) 
and (C 2 , L 2 , %2i I 2) — 3 uaranUe -i2 C md 2 t ° cfl Ud -spawn ^{q) 

and %! = sc[4 ^(4) U U ^(4)] 

Figure 11: Extended syntax 

6.3 Other form of parallelism 

Our technique also applies to other forms of concurrency, Fig. 11 displays 
how Rugina and Rinard's par constructor [12, 13] would be computed with 
our abstraction. Correctness is a straightforward extension of the techniques 
described in this paper. 

Our model handle programs that use create and par. Then, it can handle 
OpenMP programs with "parallel" and "task" constructors. 

7 Conclusion 

We have described a generic static analysis technique for multithreaded pro- 
grams parametrized by a single-thread analysis framework and based on a 
form of rely-guarantee reasoning. To our knowledge, this is the first such 
modular framework: all previous analysis frameworks concentrated on a par- 
ticular abstract domain. Such modularity allows us to leverage any static 
analysis technique to the multithreaded case. We have illustrated this by 
applying it to two abstract domains: an interval based one, and a richer 
one that also analyzes array overflows, strings, pointers [2]. Both have been 
implemented. 

We have shown that our framework only incurred a moderate (low-degree 
polynomial) amount of added complexity. In particular, we avoid the com- 
binatorial explosion of all interleaving based approaches. 

Our analyses are always correct, and produce reasonably precise infor- 
mation on the programs we tested. Clearly, for some programs, taking 
locks/mutexes and conditions into account will improve precision. We be- 
lieve that is an orthogonal concern: the non-trivial part of our technique 
is already present without synchronization primitives, as should be manifest 
from the correctness proof of our G-collecting semantics. We leave the in- 
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tegration of synchronisation primitives with our technique as future work. 
However, locks whose sole purpose are to prevent data races (e.g. ensuring 
that two concurrent accesses to the same variable are done in some arbitrary 
sequential order) have no influence on precision. Taking locks into account 
may be interesting to isolate atomic blocks. 
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